wpksesbad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring.
{ "binaries": [ { "binary_name": "wordpress", "binary_version": "4.4.2+dfsg-1ubuntu1" }, { "binary_name": "wordpress-l10n", "binary_version": "4.4.2+dfsg-1ubuntu1" }, { "binary_name": "wordpress-theme-twentyfifteen", "binary_version": "4.4.2+dfsg-1ubuntu1" }, { "binary_name": "wordpress-theme-twentyfourteen", "binary_version": "4.4.2+dfsg-1ubuntu1" }, { "binary_name": "wordpress-theme-twentysixteen", "binary_version": "4.4.2+dfsg-1ubuntu1" } ] }
{ "binaries": [ { "binary_name": "wordpress", "binary_version": "4.9.5+dfsg1-1" }, { "binary_name": "wordpress-l10n", "binary_version": "4.9.5+dfsg1-1" }, { "binary_name": "wordpress-theme-twentyfifteen", "binary_version": "4.9.5+dfsg1-1" }, { "binary_name": "wordpress-theme-twentyseventeen", "binary_version": "4.9.5+dfsg1-1" }, { "binary_name": "wordpress-theme-twentysixteen", "binary_version": "4.9.5+dfsg1-1" } ] }