Description

Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload.flash.swf shim 2.1.2 in Plupload, as used in WordPress 3.9.x, 4.0.x, and 4.1.x before 4.1.2 and other products, allows remote attackers to execute same-origin JavaScript functions via the target parameter, as demonstrated by executing a certain click function, related to _init.as and _fireEvent.as.

Remediation

References

CVE-2015-3439

Related Vulnerabilities

Zenphoto Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-5592)

Apache Tomcat Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2015-5174)

Plone CMS URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2017-1000484)

WordPress Plugin Subscriber by BestWebSoft Cross-Site Scripting (1.3.4)

Drupal Other Vulnerability (CVE-2006-5476)

Severity

Medium

Classification

CVE-2015-3439 CWE-707

Tags

Missing Update Known Vulnerabilities