CVE-2012-2401
Plupload < 1.5.4 - Same Origin Policy Bypass via SWF Scripting
Title source: llmDescription
Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of the domain from which the SWF content was loaded, which allows remote attackers to bypass the Same Origin Policy via crafted content.
References (10)
Core 10
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/81461
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/49138
Various Sources x_refsource_confirm
http://www.plupload.com/punbb/viewtopic.php?id=1685
Product x_refsource_confirm
http://core.trac.wordpress.org/browser/branches/3.3/wp-includes/js/plupload?rev=20487
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/75208
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2012/dsa-2470
Various Sources x_refsource_misc
https://nealpoole.com/blog/2012/05/xss-and-csrf-via-swf-applets-swfupload-plupload/
Product x_refsource_confirm
http://core.trac.wordpress.org/browser/branches/3.3/wp-includes/js/plupload/changelog.txt?rev=20487
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/53192
Patch, Vendor Advisory x_refsource_confirm
http://wordpress.org/news/2012/04/wordpress-3-3-2/
Scores
EPSS
0.0104
EPSS Percentile
77.7%
Details
CWE
CWE-264
Status
published
Products (48)
moxiecode/plupload
1.4.0
moxiecode/plupload
1.4.1
moxiecode/plupload
1.4.2
moxiecode/plupload
1.4.3
moxiecode/plupload
1.5.0 (2 CPE variants)
moxiecode/plupload
1.5.1
moxiecode/plupload
1.5.2
moxiecode/plupload
< 1.5.3
wordpress/wordpress
0.71
wordpress/wordpress
1.0
... and 38 more
Published
Apr 21, 2012
Tracked Since
Feb 18, 2026