CVE-2015-3439 — Cross-site Scripting in Wordpress

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

3.1%

top 13.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Debian Wordpress Debian Linux

Timeline

PublishedAug 5

Latest updateMay 17

Description

Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload.flash.swf shim 2.1.2 in Plupload, as used in WordPress 3.9.x, 4.0.x, and 4.1.x before 4.1.2 and other products, allows remote attackers to execute same-origin JavaScript functions via the target parameter, as demonstrated by executing a certain click function, related to _init.as and _fireEvent.as.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/wordpress< wordpress 4.2+dfsg-1 (bookworm)

▶Debianwordpress/wordpress< 4.2+dfsg-1+3

▶NVDwordpress/wordpress8 versions+7

Also affects: Debian Linux 7.0, 8.0

Patches

Patch: codex.wordpress.org ↗Patch: codex.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-wfch-pm8w-hchp: Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload↗2022-05-17

▶

OSV

CVE-2015-3439: Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload↗2015-08-05

▶

📋Vendor Advisories

Debian

CVE-2015-3439: wordpress - Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupl...↗2015

▶

💬Community

Bugzilla

CVE-2015-3438 CVE-2015-3439 wordpress: several vulnerabilities fixed in Wordpress 4.1.2↗2015-04-23

▶