CVE-2017-17094

Name: CVE-2017-17094
Creator: NVD / NIST
Published: 2017-12-02T06:29:00.347+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 2.38%

Last modified Jun 17, 2026

CVE-2017-17094 is a vulnerability of currently unknown severity. wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL.. EPSS estimates a 2.38% chance of exploitation in the next 30 days.

Description

wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL.

Metrics

EPSS Probability

2.38%

81.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-79

Affected Software

Vendor	Product	Versions
Wordpress	Wordpress	< 4.9.1
Debian	Debian Linux	7.0
Debian	Debian Linux	8.0
Debian	Debian Linux	9.0

References

http://www.securityfocus.com/bid/102024Third Party Advisory, VDB Entry
https://codex.wordpress.org/Version_4.9.1Patch, Vendor Advisory
https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541dePatch, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2017/12/msg00019.htmlMailing List, Third Party Advisory
https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/Release Notes, Vendor Advisory
https://wpvulndb.com/vulnerabilities/8967Patch, Third Party Advisory, VDB Entry
https://www.debian.org/security/2018/dsa-4090Third Party Advisory
http://www.securityfocus.com/bid/102024Third Party Advisory, VDB Entry
https://codex.wordpress.org/Version_4.9.1Patch, Vendor Advisory
https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541dePatch, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2017/12/msg00019.htmlMailing List, Third Party Advisory
https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/Release Notes, Vendor Advisory
https://wpvulndb.com/vulnerabilities/8967Patch, Third Party Advisory, VDB Entry
https://www.debian.org/security/2018/dsa-4090Third Party Advisory

Timeline

Published: Dec 2, 2017
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2017-17094?

wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL.

How severe is CVE-2017-17094?

Severity scoring for CVE-2017-17094 is pending analysis. The EPSS model estimates a 2.38% probability of exploitation in the next 30 days.

How do I fix CVE-2017-17094?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-17094?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST