+44 0330 223 3428
Call Us
+44 0330 223 3428

WPTavern: Bootstrap Patches XSS Vulnerability in Versions 4.3.1 and 3.4.1

WPTavern: Bootstrap Patches XSS Vulnerability in Versions 4.3.1 and 3.4.1

Bootstrap has released versions 4.3.1 and 3.4.1 to patch an XSS vulnerability (CVE-2019-8331) that was reported to the Bootstrap Drupal project by a developer and then responsibly disclosed to the Bootstrap development team. The vulnerability specifically affects usage of the tooltip and popover features:

Earlier this week a developer reported an XSS issue similar to the data-target vulnerability that was fixed in v4.1.2 and v3.4.0: the data-template attribute for our tooltip and popover plugins lacked proper XSS sanitization of the HTML that can be passed into the attribute’s value.

The fix includes a new JavaScript sanitizer that allows only whitelisted HTML elements in the data attribute. Developers can modify Bootstrap’s sanitization implementation or customize their own function. In addition to patching the vulnerability, Bootstrap has published new sanitizer documentation for versions 4.3 and 3.4.

According to data from BuiltWith, Bootstrap is used by approximately 16% of the internet. It is also used widely among WordPress plugins. There are hundreds of listings in the WordPress.org Plugin Directory that implement Bootstrap in one way or another. Many of them have not been updated for months or even longer than a year. It’s tough to say which ones may be affected by this vulnerability, as it depends on how the plugin author has implemented Bootstrap and, in some cases, what the users have decided to output to the frontend. If you have a plugin that uses Bootstrap, it may be worth getting in touch with the plugin author to see if a security update will be necessary.


Bootstrap has released versions 4.3.1 and 3.4.1 to patch an XSS vulnerability (CVE-2019-8331) that was reported to the Bootstrap Drupal project by a developer and then responsibly disclosed to the Bootstrap development team. The vulnerability specifically affects usage of the tooltip and popover features: Earlier this week a developer reported an XSS issue similar to the data-target vulnerability that was fixed in v4.1.2 and v3.4.0: the data-template attribute for our tooltip and popover plugins lacked proper XSS sanitization of the HTML that can be passed into the attribute’s value. The fix includes a new JavaScript sanitizer that allows only whitelisted HTML elements in the data attribute. Developers can modify Bootstrap’s sanitization implementation or customize their own function. In addition to patching the vulnerability, Bootstrap has published new sanitizer documentation for versions 4.3 and 3.4. According to data from BuiltWith, Bootstrap is used by approximately 16% of the internet. It is also used widely among WordPress plugins. There are hundreds of listings in the WordPress.org Plugin Directory that implement Bootstrap in one way or another. Many of them have not been updated for months or even longer than a year. It’s tough to say which ones may be affected by this…

Source: WordPress

Related Post
WPTavern: WPWeekly Episode 349 – Sandy Edwards and the Kids Event Working Group Initiative

WPTavern: WPWeekly Episode 349 – Sandy Edwards and the Kids Event Working Group Initiative In this episode, John James Jacoby and I are joined by Sandy Edwards. Sandy gave us a behind the scenes look at what it takes to organize a WordPress event for children and teens. She also provides background information on a […]

Read more
WPTavern: WordPress Ends Support for PHP 5.2 – 5.5, Bumps Minimum Required PHP Version to 5.6

WPTavern: WordPress Ends Support for PHP 5.2 – 5.5, Bumps Minimum Required PHP Version to 5.6 WordPress has officially ended support for PHP 5.2 – 5.5 and bumped its minimum required PHP version to 5.6. The plan announced last December was to bump the minimum required version in early 2019 and, depending on the results, […]

Read more
WPTavern: Gutenberg 5.3 Introduces Block Management, Adds Nesting to the Cover Block

WPTavern: Gutenberg 5.3 Introduces Block Management, Adds Nesting to the Cover Block Gutenberg 5.3 was released today with basic block management, a feature that will be included in WordPress 5.2. It is a new modal that can be launched from the vertical ellipses menu, inspired by Rich Tabor’s CoBlocks implementation. Users can turn individual blocks […]

Read more