CVE-2017-17093
Description
wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WordPress before 4.9.1 has a stored XSS vulnerability via the language attribute due to insufficient escaping.
Vulnerability
The get_language_attributes() function in wp-includes/general-template.php did not properly escape the language value retrieved via get_bloginfo('language'). As a result, the lang and xml:lang attributes of the `` element could contain unsanitized data, enabling cross-site scripting (XSS). Affected versions: WordPress prior to 4.9.1 [1].
Exploitation
An attacker must first gain the ability to modify the site's language setting (e.g., by compromising an administrator account or exploiting another vulnerability). Once the language is set to a malicious string, every page rendered on the site will include the tainted attributes without proper escaping, allowing arbitrary JavaScript execution in the context of the victim's browser [1].
Impact
Successful exploitation leads to stored XSS. An attacker can execute arbitrary JavaScript, potentially steal session cookies, deface pages, or perform actions on behalf of authenticated users. The attack requires the ability to change the language setting, making it a privilege escalation from a lower-privileged user or through a multi-vector approach [1].
Mitigation
WordPress 4.9.1, released on November 14, 2017, fixes the issue by applying esc_attr() to the language value in get_language_attributes() [2]. All users should update to 4.9.1 or later. No workaround is available except restricting language settings to trusted users [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
5cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*range: <4.9.1
- (no CPE)range: <4.9.1
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Patches
23713ac5ebc90Hardening: Add escaping to the language attributes used on `html` elements.
2 files changed · +8 −6
wp-includes/general-template.php+7 −5 modified@@ -3568,12 +3568,14 @@ function get_language_attributes( $doctype = 'html' ) { if ( function_exists( 'is_rtl' ) && is_rtl() ) $attributes[] = 'dir="rtl"'; - if ( $lang = get_bloginfo('language') ) { - if ( get_option('html_type') == 'text/html' || $doctype == 'html' ) - $attributes[] = "lang=\"$lang\""; + if ( $lang = get_bloginfo( 'language' ) ) { + if ( get_option( 'html_type' ) == 'text/html' || $doctype == 'html' ) { + $attributes[] = 'lang="' . esc_attr( $lang ) . '"'; + } - if ( get_option('html_type') != 'text/html' || $doctype == 'xhtml' ) - $attributes[] = "xml:lang=\"$lang\""; + if ( get_option( 'html_type' ) != 'text/html' || $doctype == 'xhtml' ) { + $attributes[] = 'xml:lang="' . esc_attr( $lang ) . '"'; + } } $output = implode(' ', $attributes);
wp-includes/version.php+1 −1 modified@@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '5.0-alpha-42258'; +$wp_version = '5.0-alpha-42259'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
Vulnerability mechanics
Root cause
"Missing output escaping of the language attribute value in `get_language_attributes()` allows stored cross-site scripting."
Attack vector
An attacker who can influence the site's language setting (e.g., a user with the capability to change site options) can inject a malicious payload into the language value. When `get_language_attributes()` outputs the `lang` attribute on the `
Affected code
The vulnerability resides in the `get_language_attributes()` function in `wp-includes/general-template.php`. The function constructs `lang` and `xml:lang` HTML attributes using the site's language setting obtained via `get_bloginfo('language')`, but prior to the patch it directly interpolated the value into the attribute string without escaping [patch_id=1995551].
What the fix does
The patch wraps the `$lang` variable with `esc_attr()` before inserting it into both the `lang` and `xml:lang` attribute strings [patch_id=1995551][ref_id=1]. `esc_attr()` encodes characters such as quotes and ampersands that could break out of the attribute context, preventing an attacker from injecting arbitrary HTML or JavaScript. The commit message explicitly states the change is for "Hardening: Add escaping to the language attributes used on `html` elements" [ref_id=1].
Preconditions
- authThe attacker must have the ability to set or influence the site's language option (e.g., a WordPress administrator or a user with the 'manage_options' capability).
- inputThe victim must browse a page that uses the `get_language_attributes()` function to render the `` element's `lang` attribute.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- codex.wordpress.org/Version_4.9.1nvdPatchRelease NotesVendor Advisory
- github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09anvdPatchThird Party Advisory
- www.securityfocus.com/bid/102024nvdThird Party AdvisoryVDB Entry
- lists.debian.org/debian-lts-announce/2017/12/msg00019.htmlnvdMailing ListThird Party Advisory
- wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/nvdRelease NotesVendor Advisory
- wpvulndb.com/vulnerabilities/8968nvdThird Party AdvisoryVDB Entry
- www.debian.org/security/2018/dsa-4090nvdThird Party Advisory
News mentions
0No linked articles in our index yet.