CVE-2015-3439 Information
Share on:Description
Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload.flash.swf shim 2.1.2 in Plupload as used in WordPress 3.9.x 4.0.x and 4.1.x before 4.1.2 and other products allows remote attackers to execute same-origin JavaScript functions via the target parameter as demonstrated by executing a certain click function related to _init.as and _fireEvent.as.
Reference
http://codex.wordpress.org/Version_4.1.2 http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157391.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158271.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158278.html http://www.debian.org/security/2015/dsa-3250 http://www.securityfocus.com/bid/74269 http://www.securitytracker.com/id/1032207 http://zoczus.blogspot.com/2015/04/plupload-same-origin-method-execution.html https://core.trac.wordpress.org/changeset/32168 https://wordpress.org/news/2015/04/wordpress-4-1-2/ https://wpvulndb.com/vulnerabilities/7933