I found a known XSS vulnerability in the recent version of jquery-wp-content.
In particular, the bug we report is a known bug by CVE-2019-20041.
wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring.
Hi
I found a known XSS vulnerability in the recent version of jquery-wp-content. In particular, the bug we report is a known bug by CVE-2019-20041.
Please check this line: https://github.com/jquery/jquery-wp-content/blob/bb05d9c93312d2d7eaf9211fc73dbc6f52fd618c/plugins/vaultpress/class.vaultpress-hotfixes.php#L788
Thanks!