CVE-2015-3439

Currently unrated

Key Information:

Vendor: Wordpress
Status: Debian Linux
Vendor: CVE Published:; 5 August 2015

Summary

Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload.flash.swf shim 2.1.2 in Plupload, as used in WordPress 3.9.x, 4.0.x, and 4.1.x before 4.1.2 and other products, allows remote attackers to execute same-origin JavaScript functions via the target parameter, as demonstrated by executing a certain click function, related to _init.as and _fireEvent.as.

References

http://zoczus.blogspot.com/2015/04/plupload-same-origin-m...

x_refsource_MISC

http://lists.fedoraproject.org/pipermail/package-announce...

vendor-advisoryx_refsource_FEDORA

https://wordpress.org/news/2015/04/wordpress-4-1-2/

x_refsource_CONFIRM

Timeline

Vulnerability published
Aug 5, 2015
Vulnerability Reserved
Apr 28, 2015