Description
Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload.flash.swf shim 2.1.2 in Plupload, as used in WordPress 3.9.x, 4.0.x, and 4.1.x before 4.1.2 and other products, allows remote attackers to execute same-origin JavaScript functions via the target parameter, as demonstrated by executing a certain click function, related to _init.as and _fireEvent.as.
References (11)
Core 11
Core References
Exploit x_refsource_misc
http://zoczus.blogspot.com/2015/04/plupload-same-origin-method-execution.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157391.html
Exploit, Vendor Advisory x_refsource_confirm
https://wordpress.org/news/2015/04/wordpress-4-1-2/
Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/7933
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/74269
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158278.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1032207
Product x_refsource_confirm
https://core.trac.wordpress.org/changeset/32168
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2015/dsa-3250
Exploit, Patch x_refsource_confirm
http://codex.wordpress.org/Version_4.1.2
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158271.html
Scores
EPSS
0.0312
EPSS Percentile
87.0%
Details
CWE
CWE-79
Status
published
Products (10)
debian/debian_linux
7.0
debian/debian_linux
8.0
wordpress/wordpress
3.9.0
wordpress/wordpress
3.9.1
wordpress/wordpress
3.9.2
wordpress/wordpress
3.9.3
wordpress/wordpress
4.0
wordpress/wordpress
4.0.1
wordpress/wordpress
4.1
wordpress/wordpress
4.1.1
Published
Aug 05, 2015
Tracked Since
Feb 18, 2026