CVE-2017-17094
Description
wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WordPress before 4.9.1 fails to properly escape enclosure attributes in RSS and Atom feeds, allowing stored XSS via crafted URLs.
Vulnerability
WordPress versions 4.9 and earlier are affected by a cross-site scripting (XSS) vulnerability in the wp-includes/feed.php file. The rss_enclosure() and atom_enclosure() functions do not correctly escape the url, length, and type attributes in enclosure tags for RSS and Atom feeds [1][2]. Specifically, the code used htmlspecialchars instead of WordPress-specific escaping functions like esc_url() and esc_attr(), and did not cast numeric values with absint() [3]. An attacker can inject malicious JavaScript by crafting a URL that, when included as an enclosure in a feed, will be output without proper escaping.
Exploitation
An attacker needs the ability to supply a crafted URL that is used as an enclosure in an RSS or Atom feed. This could be achieved through contributing a feed with a malicious enclosure URL, or by exploiting another vector to inject the malicious URL into the feed data. The attacker does not need authentication if they can submit content to the feed; the XSS will execute when a user views the feed in a browser that processes the enclosure tags.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser when they view the compromised feed. This can lead to information disclosure, session hijacking, or other malicious actions depending on the attacker's payload. The vulnerability is classified as medium severity with a CVSS v3 score of 5.4 [1][2].
Mitigation
The vulnerability is fixed in WordPress version 4.9.1, released on November 29, 2017 [1][2]. The fix replaces htmlspecialchars with esc_url() for the URL, esc_attr() for the type attribute, and absint() for the length attribute [3]. Users should upgrade to WordPress 4.9.1 or later immediately. No known workarounds are available for earlier versions.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
5cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*range: <4.9.1
- (no CPE)range: <4.9.1
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Patches
2f1de7e42df29Hardening: Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
2 files changed · +3 −3
wp-includes/feed.php+2 −2 modified@@ -476,7 +476,7 @@ function rss_enclosure() { * * @param string $html_link_tag The HTML link tag with a URI and other attributes. */ - echo apply_filters( 'rss_enclosure', '<enclosure url="' . trim( htmlspecialchars( $enclosure[0] ) ) . '" length="' . trim( $enclosure[1] ) . '" type="' . $type . '" />' . "\n" ); + echo apply_filters( 'rss_enclosure', '<enclosure url="' . esc_url( trim( $enclosure[0] ) ) . '" length="' . absint( trim( $enclosure[1] ) ) . '" type="' . esc_attr( $type ) . '" />' . "\n" ); } } } @@ -510,7 +510,7 @@ function atom_enclosure() { * * @param string $html_link_tag The HTML link tag with a URI and other attributes. */ - echo apply_filters( 'atom_enclosure', '<link href="' . trim( htmlspecialchars( $enclosure[0] ) ) . '" rel="enclosure" length="' . trim( $enclosure[1] ) . '" type="' . trim( $enclosure[2] ) . '" />' . "\n" ); + echo apply_filters( 'atom_enclosure', '<link href="' . esc_url( trim( $enclosure[0] ) ) . '" rel="enclosure" length="' . absint( trim( $enclosure[1] ) ) . '" type="' . esc_attr( trim( $enclosure[2] ) ) . '" />' . "\n" ); } } }
wp-includes/version.php+1 −1 modified@@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '5.0-alpha-42259'; +$wp_version = '5.0-alpha-42260'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
Vulnerability mechanics
Root cause
"Improper neutralization of enclosure attributes in RSS and Atom feed output allows injection of arbitrary HTML or JavaScript."
Attack vector
An attacker with the ability to influence enclosure metadata (e.g., a user who can upload media or otherwise set enclosure URLs) can craft a URL containing JavaScript or other malicious content. When the feed is rendered, the unescaped attributes in the enclosure tags allow the injected script to execute in the context of the page viewing the feed, leading to stored cross-site scripting [CWE-79]. The attack requires the attacker to have some level of access (e.g., contributor or author role) to insert a crafted enclosure URL, and a victim with higher privileges (e.g., administrator) to view the feed.
Affected code
The vulnerability resides in `wp-includes/feed.php` within the `rss_enclosure()` and `atom_enclosure()` functions. These functions output enclosure tags for RSS and Atom feeds without properly escaping the URL, length, and type attributes [patch_id=1995546].
What the fix does
The patch replaces `htmlspecialchars()` with `esc_url()` for the URL attribute, adds `absint()` for the length attribute, and adds `esc_attr()` for the type attribute in both `rss_enclosure()` and `atom_enclosure()` [patch_id=1995546]. `esc_url()` properly sanitizes URLs by stripping dangerous schemes and encoding special characters, while `absint()` ensures the length is a non-negative integer, and `esc_attr()` escapes HTML entities in attribute values. These changes prevent injection of arbitrary HTML or JavaScript through enclosure fields [ref_id=1].
Preconditions
- authAttacker must have the ability to set or influence enclosure URLs in RSS/Atom feed entries (e.g., as a contributor or author uploading media).
- inputA victim with a higher privilege level (e.g., administrator) must view the crafted feed.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- codex.wordpress.org/Version_4.9.1nvdPatchVendor Advisory
- github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541denvdPatchThird Party Advisory
- wpvulndb.com/vulnerabilities/8967nvdPatchThird Party AdvisoryVDB Entry
- www.securityfocus.com/bid/102024nvdThird Party AdvisoryVDB Entry
- lists.debian.org/debian-lts-announce/2017/12/msg00019.htmlnvdMailing ListThird Party Advisory
- wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/nvdRelease NotesVendor Advisory
- www.debian.org/security/2018/dsa-4090nvdThird Party Advisory
News mentions
0No linked articles in our index yet.