WordPress Plugins or themes that leverages the genericons package is vulnerable to a DOM-based Cross-Site Scripting (XSS) vulnerability due to an insecure file included with genericons.

JetPack plugin and the TwentyFifteen theme (installed by default) are found to be vulnerable. The exact count is difficult to grasp, but both the plugin and theme are default installs in millions of WordPress installs.

The main issue here is the genericons package, so any plugin that makes use of this package is potentially vulnerable if it includes the example.html file that comes with the package.



Avocent AVRIQ-SRL Server Interface Module MPN: 520-3313-503 picture
Avocent AVRIQ-SRL Server Interface Module MPN: 520-3313-503
$44.99


HP Jetdirect 600N J3113A Ethernet 10/100TX Printer Server Card picture
HP Jetdirect 600N J3113A Ethernet 10/100TX Printer Server Card
$9.95


HP JetDirect 615n EIO 10/100TX Ethernet Print Server J6057A picture
HP JetDirect 615n EIO 10/100TX Ethernet Print Server J6057A
$8.95


Dell Poweredge R610 Server SAS X6 Backplane Board 0D109N PLUS Cable 0XT567 picture
Dell Poweredge R610 Server SAS X6 Backplane Board 0D109N PLUS Cable 0XT567
$18.99


Vintage HP Jet Direct 500X external print server picture
Vintage HP Jet Direct 500X external print server
$12.0


HP JetDirect 610n 10/100TX Ethernet Network Print Server J4169A picture
HP JetDirect 610n 10/100TX Ethernet Network Print Server J4169A
$9.95


HP ProLiant DL380 Gen9 Server Xeon E5-2609 v3 1.90GHz (x1) 72GB RAM No HDDs  picture
HP ProLiant DL380 Gen9 Server Xeon E5-2609 v3 1.90GHz (x1) 72GB RAM No HDDs
$0.99


Cisco UCS B230M2 Blade Server No CPU No Memory picture
Cisco UCS B230M2 Blade Server No CPU No Memory
$39.99