FortiGuard Labs Breaking Threat Research
Overview
WordPress is the world’s most popular Content Management System (CMS). It has 60.4% of the global CMS market share, which is far higher than the second-place Joomla!, which only has 5.2% of the market share. As a result, over a third of all of the websites on the Internet were built using WordPress.The FortiGuard Labs team recently discovered a stored Cross-Site Scripting (XSS) zero-day vulnerability in WordPress. This XSS vulnerability is caused by the new built-in editor Gutenberg found in WordPress 5.0. The editor fails to filter the JavaScript/HTML code in the Shortcode error message. This allows a remote attacker with Contributor or higher permission to execute arbitrary JavaScript/HTML code in the browser of victims who access the compromised webpage. If the victim has high permission, such as an administrator, the attacker could even compromise the web server.
This stored XSS vulnerability affects WordPress versions from 5.0 to 5.2.2.
Full Article.