wpksesbad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring.
{ "binaries": [ { "binary_version": "4.4.2+dfsg-1ubuntu1", "binary_name": "wordpress" }, { "binary_version": "4.4.2+dfsg-1ubuntu1", "binary_name": "wordpress-l10n" }, { "binary_version": "4.4.2+dfsg-1ubuntu1", "binary_name": "wordpress-theme-twentyfifteen" }, { "binary_version": "4.4.2+dfsg-1ubuntu1", "binary_name": "wordpress-theme-twentyfourteen" }, { "binary_version": "4.4.2+dfsg-1ubuntu1", "binary_name": "wordpress-theme-twentysixteen" } ] }
{ "binaries": [ { "binary_version": "4.9.5+dfsg1-1", "binary_name": "wordpress" }, { "binary_version": "4.9.5+dfsg1-1", "binary_name": "wordpress-l10n" }, { "binary_version": "4.9.5+dfsg1-1", "binary_name": "wordpress-theme-twentyfifteen" }, { "binary_version": "4.9.5+dfsg1-1", "binary_name": "wordpress-theme-twentyseventeen" }, { "binary_version": "4.9.5+dfsg1-1", "binary_name": "wordpress-theme-twentysixteen" } ] }