wordpress is vulnerable to cross-site scripting (XSS). The vulnerability exists as it was possible to use the embed block to inject unfiltered HTML through $post->post_content
which would be executed in editor/wp-admin
.
github.com/WordPress/wordpress-develop/commit/0977c0d6b241479ecedfe19e96be69f727c3f81f
github.com/WordPress/wordpress-develop/security/advisories/GHSA-rpwf-hrh2-39jf
lists.debian.org/debian-lts-announce/2020/07/msg00000.html
lists.fedoraproject.org/archives/list/[email protected]/message/773N2ZV7QEMBGKH6FBKI6Q5S3YJMW357/
lists.fedoraproject.org/archives/list/[email protected]/message/ODNHXVJS25YVWYQHOCICXTLIN5UYJFDN/
wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/
www.debian.org/security/2020/dsa-4709