CVE-2012-2401 — Wordpress vulnerability

CWE-2645 documents5 sources

Severity

5.0MEDIUMNVD

EPSS

1.0%

top 22.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Debian Wordpress Moxiecode Plupload

Timeline

PublishedApr 21

Latest updateMay 17

Description

Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of the domain from which the SWF content was loaded, which allows remote attackers to bypass the Same Origin Policy via crafted content.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages4 packages

▶NVDmoxiecode/plupload1.5.3+7

▶debiandebian/wordpress< wordpress 3.3.2+dfsg-1 (bookworm)

▶Debianwordpress/wordpress< 3.3.2+dfsg-1+3

▶NVDwordpress/wordpress3.3.1+77

Patches

Patch: wordpress.org ↗Patch: wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-ch8h-4j2v-gwvg: Plupload before 1↗2022-05-17

▶

OSV

CVE-2012-2401: Plupload before 1↗2012-04-21

▶

📋Vendor Advisories

Debian

CVE-2012-2401: wordpress - Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3...↗2012

▶

💬Community

Bugzilla

CVE-2012-2401 wordpress (X < v3.3.2): Plupload - Same origin policy bypass via crafted SWF content↗2012-04-23

▶