CVE-2018-18919

An attacker with administrator or editor role posts a crafted comment containing a markdown link with a JavaScript payload in the URL portion, e.g. `[http://www.test.com"><script>alert(233)</script>](http://www.test.com"><script>alert(233)</script>)` [ref_id=1]. The plugin renders this markdown without proper output encoding, causing the injected script to execute when any user visits the comment page [ref_id=1]. The attack requires that the site administrator has enabled "使评论支持Markdown写作" (enable Markdown in comments) via the plugin settings [ref_id=1].

The advisory [ref_id=1] does not specify particular files or functions. The vulnerability exists in the WP Editor.md plugin (version 10.0.1) markdown rendering logic for the WordPress comment area.

No patch is included in the bundle. The advisory [ref_id=1] does not provide a fix commit or remediation guidance beyond the disclosure of the vulnerability. The plugin author would need to add proper HTML escaping or sanitization to the markdown rendering pipeline for comment content to prevent script injection.

1. As a site administrator, navigate to the plugin settings and enable "使评论支持Markdown写作" (enable Markdown in comments) [ref_id=1]. 2. Log in with an administrator or editor role and post a comment containing the payload: `[http://www.test.com"><script>alert(233)</script>](http://www.test.com"><script>alert(233)</script>)` [ref_id=1]. 3. Visit the comment page — the JavaScript executes, demonstrating stored XSS [ref_id=1].