Sucuri shared details about one of the vulnerabilities cross-site scripting (XSS) issues fixed last week in WordPress. The gap can be very useful for attackers in combination with another vulnerability injection of content, which has been used in real attacks.

The WordPress version 4.7.3 released on March 6, fixes six vulnerabilities, including three XSS holes. One of them is known by the CVE ID-2017-6817, she was discovered by Sucuri researcher Marc Montbazon (Marc Montpas).

The vulnerability allows an authenticated attacker to insert arbitrary JavaScript code in the message, it can be used via URL YouTube short codes (shortcodes). The attacker with the privileges of member can use the flaw to run a backdoor on the target site.

Since the operation requires at least participation privileges, the vulnerability is considered critical. However, the risk is much higher in versions prior to 4.7.2, which is associated with another vulnerability which they are exposed.

The hole injection content that is also discovered by researchers from Sucuri, used to remotely run code and deface web pages. With XSS vulnerability, it allows remote attacker to inject malicious JavaScript code in posts on WordPress website.