WordPress Plugins or themes that leverages the genericons package is vulnerable to a DOM-based Cross-Site Scripting (XSS) vulnerability due to an insecure file included with genericons.

JetPack plugin and the TwentyFifteen theme (installed by default) are found to be vulnerable. The exact count is difficult to grasp, but both the plugin and theme are default installs in millions of WordPress installs.

The main issue here is the genericons package, so any plugin that makes use of this package is potentially vulnerable if it includes the example.html file that comes with the package.



Dell R820 32-Core Server 4x E5-4620 2.2GHz 96GB 8x 960GB SSD H710 RPS picture
Dell R820 32-Core Server 4x E5-4620 2.2GHz 96GB 8x 960GB SSD H710 RPS
$3778.7


Dell R730xd 8-Core Server 2x E5-2623 v3 3.0GHz 64GB-8 8x 3TB SAS H730 3.5in RPS picture
Dell R730xd 8-Core Server 2x E5-2623 v3 3.0GHz 64GB-8 8x 3TB SAS H730 3.5in RPS
$2314.2


HP ML350p G8 Tower 16-Core Server 2x E5-2650 2.0GHz 384GB-16 8x 600GB 15K 2GB picture
HP ML350p G8 Tower 16-Core Server 2x E5-2650 2.0GHz 384GB-16 8x 600GB 15K 2GB
$4689.1


Dell R620 12-Core Server 2x E5-2640 2.5GHz 96GB-8 8x 1.2TB SAS H710 8 Bay picture
Dell R620 12-Core Server 2x E5-2640 2.5GHz 96GB-8 8x 1.2TB SAS H710 8 Bay
$1929.95


Dell R620 12-Core Server 2x E5-2640 2.5GHz 96GB-8 8x 300GB 15K SAS H710 8 Bay picture
Dell R620 12-Core Server 2x E5-2640 2.5GHz 96GB-8 8x 300GB 15K SAS H710 8 Bay
$1119.4