Medium severity5.4NVD Advisory· Published Mar 12, 2017· Updated May 13, 2026

CVE-2017-6814

Description

In WordPress before 4.7.3, there is authenticated Cross-Site Scripting (XSS) via Media File Metadata. This is demonstrated by both (1) mishandling of the playlist shortcode in the wp_playlist_shortcode function in wp-includes/media.php and (2) mishandling of meta information in the renderTracks function in wp-includes/js/mediaelement/wp-playlist.js.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

WordPress before 4.7.3 contains authenticated XSS via media file metadata in playlist shortcode and JavaScript handler.

Vulnerability

In WordPress versions before 4.7.3, authenticated Cross-Site Scripting (XSS) vulnerabilities exist in the audio playlist functionality. The flaws are located in two places: (1) the wp_playlist_shortcode function in wp-includes/media.php mishandles metadata extracted from uploaded media files, and (2) the renderTracks function in wp-includes/js/mediaelement/wp-playlist.js mishandles track meta information. An attacker who can upload a crafted MP3 file with malicious metadata (e.g., in ID3 tags) and then insert a playlist shortcode can trigger the XSS [1][2].

Exploitation

To exploit this vulnerability, an attacker must first upload a malicious MP3 file containing crafted metadata (e.g., track title, artist, or other ID3 tag fields) with embedded JavaScript. The attacker needs Contributor-level access or higher to insert a playlist shortcode that references the uploaded file. Once an Editor or Administrator views a page or post containing that playlist (or when the shortcode is rendered), the malicious metadata is output without proper sanitization, causing the JavaScript to execute in the context of the authenticated user's browser [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of a logged-in WordPress user, such as an Editor or Administrator. This could lead to session hijacking, privilege escalation, or defacement, depending on the attacker's objectives [1]. The vulnerability is rated Medium (CVSS 5.3).

Mitigation

The fix was released in WordPress version 4.7.3 on 2017-03-06. The patch introduced calls to wp_kses_post_deep() to sanitize video and audio metadata in functions wp_read_video_metadata() and wp_read_audio_metadata() [2]. Users should upgrade to WordPress 4.7.3 or later. No workaround is available for earlier versions.

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/WordPress2 versions
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*range: <=4.7.2
- (no CPE)range: <4.7.3
Package: https://wordpress.org/plugins/wordpress
Debian/Debian Linux2 versions
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Patches

28f838ca3ee2

Validate video and audio metadata.

https://github.com/wordpress/wordpressJeremy FeltMar 6, 2017via nvd-ref

commit

2 files changed · +5 −1

wp-admin/includes/media.php+4 −0 modified

@@ -3072,6 +3072,8 @@ function wp_read_video_metadata( $file ) {
 
 	wp_add_id3_tag_data( $metadata, $data );
 
+	$metadata = wp_kses_post_deep( $metadata );
+
 	return $metadata;
 }
 
@@ -3117,6 +3119,8 @@ function wp_read_audio_metadata( $file ) {
 
 	wp_add_id3_tag_data( $metadata, $data );
 
+	$metadata = wp_kses_post_deep( $metadata );
+
 	return $metadata;
 }

wp-includes/version.php+1 −1 modified

@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.8-alpha-40147';
+$wp_version = '4.8-alpha-40148';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.

Vulnerability mechanics

Root cause

"Missing output sanitization of audio file ID3 metadata before it is used in HTML generation and DOM manipulation."

Attack vector

An attacker with Editor or Administrator privileges uploads a crafted MP3 file containing malicious JavaScript in its ID3 metadata (e.g., track title, artist). When a Contributor or higher inserts an Audio Playlist using the `[playlist]` shortcode, the unsanitized metadata is rendered in two ways: (1) server-side in the `

Affected code

The vulnerability involves two code paths. First, the `wp_playlist_shortcode()` function in `wp-includes/media.php` creates a `

What the fix does

The patch adds `wp_kses_post_deep( $metadata )` calls in both `wp_read_video_metadata()` and `wp_read_audio_metadata()` in `wp-admin/includes/media.php` [patch_id=1995511]. This recursively sanitizes all metadata fields using `wp_kses_post`, which strips dangerous HTML tags and attributes while allowing safe post content. By sanitizing the metadata at the point of extraction from the file, the fix ensures that any downstream use of the metadata — whether in the playlist shortcode server-side or in the JavaScript `renderTracks()` function — receives safe, neutralized input, closing both XSS vectors.

Preconditions

authAttacker must have Editor or Administrator role to upload media files (unfiltered_html capability)
inputVictim (or attacker) must insert an Audio Playlist shortcode containing the malicious file
inputAttacker must craft an MP3 file with malicious JavaScript in ID3 metadata fields

Reproduction

1. As an Editor or Administrator, upload a crafted MP3 file containing malicious JavaScript in its ID3 metadata (e.g., track title) to the Media Library. A sample file is available at https://www.securify.nl/advisory/SFY20160742/xss.mp3 [ref_id=1]. 2. As a Contributor or higher, insert an Audio Playlist in a Post that includes this MP3 file. The XSS payload executes when the playlist is rendered.

Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

codex.wordpress.org/Version_4.7.3nvdPatchVendor Advisory
github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7nvdIssue TrackingPatchThird Party Advisory
wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/nvdPatchRelease NotesVendor Advisory
wpvulndb.com/vulnerabilities/8765nvdPatchThird Party Advisory
openwall.com/lists/oss-security/2017/03/06/8nvdExploitMailing ListThird Party Advisory
sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.htmlnvdExploitThird Party Advisory
www.debian.org/security/2017/dsa-3815nvdThird Party Advisory
www.securityfocus.com/bid/96601nvdThird Party AdvisoryVDB Entry
www.securitytracker.com/id/1037959nvdThird Party AdvisoryVDB Entry

News mentions

No linked articles in our index yet.

cvss	0.351
epss	0.002
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000