If you use this unfiltered_html setting in a multisite setup, make sure to set the site whitelisting option to ‘yes’, if you do not do that, an authenticated user with high privilege could execute arbitrary HTML code in the context of another website. An attacker could use a high privilege user to inject malicious HTML code into another website, for example via a third-party contact form or email. In the WordPress default configuration, unfiltered_html is set to false by default, which means that all input is sanitised and standardised before being sent to the user. If you are using a multisite setup, make sure to set the site whitelisting option to ‘yes’ in order to avoid high privilege users from executing malicious code in other websites.

Fixed in 4.9.3

In WordPress 4.9.3, unfiltered_html is set to true by default. This means that all input is not sanitised and standardised before being sent to the user, so if you are using a multisite setup, make sure to set the site whitelisting option to ‘yes’ in order to avoid high privilege users from executing malicious code on other websites.

The importance of digital marketing
6 Reasons Why Digital Marketing Is Important

Conclusion - Protecting Your Site from Attackers

The WordPress default configuration sets unfiltered_html to false by default, which means that all input is sanitised and standardised before being sent to the user. If you are using a multisite setup, make sure to set the site whitelisting option to ‘yes’ in order to avoid high privilege users from executing malicious code in other websites.

Check if you are affected

If you use this setting, ensure that the site whitelisting option is set to ‘yes’. If it is not, please contact your hosting provider for assistance in changing the default setting.

Avoiding Cross Site Scripting In WordPress Multisite

The best way to avoid cross site scripting (XSS) in WordPress multisite is to ensure that the unfiltered_html setting in wp-config.php is set to true. This sets the default for all sites and prevents the possibility of a high privilege user executing malicious code in another website, such as via a contact form on an unrelated website or email.

CVE-2022-3138

If you use this unfiltered_html setting in a multisite setup, make sure to set the site whitelisting option to ‘yes’, if you do not do that, an authenticated user with low privilege could execute arbitrary HTML code in the context of another website. An attacker could use a low privilege user to inject malicious HTML code into another website, for example via a third-party contact form or email. In the WordPress default configuration, unfiltered_html is set to false by default, which means that all input is sanitised and standardised before being sent to the user. If you are using a multisite setup, make sure to set the site whitelisting option to ‘yes’ in order to avoid low privilege users from executing malicious code in other websites.

Timeline

Published on: 10/10/2022 21:15:00 UTC
Last modified on: 10/12/2022 16:42:00 UTC

References