EPSS
Percentile
38.8%
Wordpress is vulnerable to cross-site scripting (XSS) attacks. These attacks are possible because .js files can be uploaded without the unfiltered_html capability.
.js
unfiltered_html
codex.wordpress.org/Version_4.9.1
core.trac.wordpress.org/ticket/42261
wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/