jQuery UI datepicker < 1.11.4 vulnerable to XSS attack

  • We received notification that the datepicker used in jQuery UI in WP Core is vulnerable to a XSS attack.

    Is there a way to safely and permanently replace this file without breaking WordPress/future updates?

    Message received:

    THREAT REFERENCE

Summary: 
vulnerable jQuery UI version: 1.11.4

Risk: High (3)
Port: 443/tcp
Protocol: tcp
Threat ID: web_lib_jqueryui

Details: jQuery UI closeText Cross-site Scripting Vulnerability
08/17/18
CVE 2016-7103
Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.

Information From Target:
Service: https
Sent:
GET /wp-includes/js/jquery/ui/datepicker.min.js?ver=1.11.4 HTTP/1.0
Host: [removed]

Received:
* jQuery UI Datepicker 1.11.4
Viewing 3 replies - 1 through 3 (of 3 total)
Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘jQuery UI datepicker < 1.11.4 vulnerable to XSS attack’ is closed to new replies.