CVE-2024-8241: Wp Unescaped Class Join
Detected unescaped output of a classes array via `join()` or `implode()`. In WordPress, failing to escape classes arrays before outputting them can lead to Cross-Site Scripting (XSS) if any class name contains user input (like block attributes). Wrap the array output in `esc_attr()`: `esc_attr(join(' ', $classes))`.
Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0
PHPβ
PHPβgreprules fetch cve-2024-8241-wp-unescaped-class-join --engine opengrepDescription
Detected unescaped output of a classes array via `join()` or `implode()`. In WordPress, failing to escape classes arrays before outputting them can lead to Cross-Site Scripting (XSS) if any class name contains user input (like block attributes). Wrap the array output in `esc_attr()`: `esc_attr(join(' ', $classes))`.
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0