[FG-VD-18-165] Wordpress Cross-Site Scripting Vulnerability Notification II

**Subject**: [FG-VD-18-165] Wordpress Cross-Site Scripting Vulnerability Notification II Dear Wordpress, Fortinet's FortiGuard Labs have discovered a security issue in your product Wordpress on 12/11/2018. We estimate its risk level is 3, on a scale of 1 (lowest) to 5 (highest), in terms of its impact. Please advise of the appropriate contact person in your company to handle this issue. Fortinet's research remains ethical at all times, and we therefore strive to Responsible Disclosure. Fortinet vulnerability disclosure policy can be found at https://fortiguard.com/zeroday/responsible-disclosure. For this particular issue, we will wait until 01/11/2019 for vendor response before we post an advisory on our website (https://fortiguard.com/zeroday) and/or any other publication form (e.g. conference talk, demo, podcast, etc.). In the case you agree to patch this issue, we'll extend the disclosure deadline to 90 days (it's 03/12/2019 for this issue) automatically. We might disclose it *earlier* than that date only if: 1) Public proof of concept code for the vulnerability is released or it's disclosed by other people, increasing the danger of the vulnerability being exploited in the wild; 2) Active attack against the vulnerability is detected; 3) Or you have patched the vulnerability or released solution/workaround - a positive fact we'll be happy to mention. Fortinet will use reasonable efforts to communicate a schedule of planned mediums, including conferences with the appropriate stakeholders within the affected company. Our security researchers work on your product or service either because it is popular and/or interesting, so please take this positively. This research is done free of charge for you, although our researchers will appreciate being mentioned in a Hall of Fame or bug bounty if any. Threats to our security researchers are not acceptable and will be dealt with by our Legal team. We look forward to working closely with you to resolve this issue. If you wish to switch to confidential emails, our PGP key can be found at https://fortiguard.com/secresearch-pgpkey. Kind regards, Fortinet's FortiGuard Labs. -------------------------------------------- Type of Vulnerability & Repercussions: Cross-Site Scripting Affected Product: Wordpress 5.0 Credits: This vulnerability was discovered by Zhouyuan Yang of Fortinet's FortiGuard Labs. Proof of Concept & Additional Information: The Cross-Site Scripting (XSS) issue exists in the Post Shortcode function. An attacker with Contributor or higher permission, can add the follow Shortcode in a Post ""><img src=1 onerror=prompt(1)>>" (note: remove the start and ending double quotes.). See in figure 1 & 2. When any user previews this Post in the administrator interface, the XSS code will be executed. See figure 3. ## Impact Cross-Site Scripting