CVE-2017-17092
Description
wp-includes/functions.php in WordPress before 4.9.1 does not require the unfiltered_html capability for upload of .js files, which might allow remote attackers to conduct XSS attacks via a crafted file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WordPress before 4.9.1 allows users without unfiltered_html capability to upload .js files, enabling stored XSS.
Vulnerability
WordPress versions before 4.9.1 are affected by a cross-site scripting (XSS) vulnerability residing in the get_allowed_mime_types function within wp-includes/functions.php [1]. The function, which determines allowed file upload types for users, previously removed the htm|html extensions when a user lacked the unfiltered_html capability, but did not similarly remove the js extension. In WordPress 4.9.1, the commit [1] adds $t['js'] to the unset call, closing this oversight. Versions up to and including 4.9.0 are vulnerable.
Exploitation
An attacker with any account role that has upload privileges but lacks the unfiltered_html capability (typically contributors or authors) can upload a crafted .js file to the WordPress media library [1]. No additional authentication bypass is needed; the file upload process will accept the JavaScript file because the mime type check does not block it for non-admin users. The attacker then needs to convince a site administrator or a user with higher privileges to load or reference that uploaded file, triggering the XSS payload.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of a privileged user's session when the malicious .js file is loaded [1]. This can lead to theft of cookies, session hijacking, impersonation of the user, and potential further compromise of the site or its data. The impact is limited to stored XSS against users who view or include the uploaded file.
Mitigation
The issue is fixed in WordPress version 4.9.1, released on November 30, 2017 [1]. Users should upgrade to WordPress 4.9.1 or later immediately. No workaround is recommended other than upgrading; site administrators can also restrict upload capabilities to trusted users only until the upgrade is applied. This CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
5cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*range: <4.9.1
- (no CPE)range: <4.9.1
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Patches
267d03a98c2caHardening: Remove the ability to upload JavaScript files for users who do not have the `unfiltered_html` capability.
2 files changed · +4 −3
wp-includes/functions.php+3 −2 modified@@ -2565,8 +2565,9 @@ function get_allowed_mime_types( $user = null ) { if ( function_exists( 'current_user_can' ) ) $unfiltered = $user ? user_can( $user, 'unfiltered_html' ) : current_user_can( 'unfiltered_html' ); - if ( empty( $unfiltered ) ) - unset( $t['htm|html'] ); + if ( empty( $unfiltered ) ) { + unset( $t['htm|html'], $t['js'] ); + } /** * Filters list of allowed mime types and file extensions.
wp-includes/version.php+1 −1 modified@@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '5.0-alpha-42260'; +$wp_version = '5.0-alpha-42261'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
Vulnerability mechanics
Root cause
"Missing capability check: the `get_allowed_mime_types()` function did not remove the `js` mime type for users lacking the `unfiltered_html` capability, allowing JavaScript file uploads."
Attack vector
An attacker with a low-privileged account (e.g., a subscriber or author role) who does not possess the `unfiltered_html` capability can upload a `.js` file as a media attachment. Because the server does not reject the upload, the crafted JavaScript file is stored on the WordPress instance. If the attacker then tricks an administrator or other user into visiting a page that loads or executes that file, the attacker can achieve stored cross-site scripting (XSS) [CWE-79]. The CVSS vector indicates the attack requires user interaction (e.g., clicking a link) and is launched over the network.
Affected code
The vulnerability is in `wp-includes/functions.php`, specifically in the `get_allowed_mime_types()` function. The patch modifies the logic that removes certain mime types when a user lacks the `unfiltered_html` capability. Previously, only the `htm|html` extension was removed; the patch adds `js` to the unset list so that JavaScript files are also blocked for non-privileged users.
What the fix does
The fix in [patch_id=1995556] adds `$t['js']` to the `unset()` call inside the `if ( empty( $unfiltered ) )` block in `get_allowed_mime_types()`. Previously, only the `htm|html` mime type was removed for users lacking `unfiltered_html`; the `js` mime type remained allowed, enabling JavaScript file uploads. By also removing `js`, the patch ensures that users without `unfiltered_html` capability cannot upload JavaScript files, closing the XSS vector. The version bump in [patch_id=1995555] is a routine release tag update.
Preconditions
- authAttacker must have a WordPress user account that lacks the 'unfiltered_html' capability (e.g., Subscriber or Author role)
- configThe WordPress instance must allow file uploads (media library enabled)
- inputAttacker must be able to upload a .js file as a media attachment
- networkA victim with higher privileges (e.g., Admin) must be tricked into loading or executing the uploaded JavaScript file
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- codex.wordpress.org/Version_4.9.1nvdPatchRelease NotesVendor Advisory
- github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509nvdPatchThird Party Advisory
- www.securityfocus.com/bid/102024nvdThird Party AdvisoryVDB Entry
- lists.debian.org/debian-lts-announce/2017/12/msg00019.htmlnvdMailing ListThird Party Advisory
- wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/nvdRelease NotesVendor Advisory
- wpvulndb.com/vulnerabilities/8966nvdThird Party AdvisoryVDB Entry
- www.debian.org/security/2018/dsa-4090nvdThird Party Advisory
News mentions
0No linked articles in our index yet.