CVE-2016-4566 — Cross-site Scripting in Wordpress

CWE-79 — Cross-site Scripting7 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

4.7%

top 10.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Debian Wordpress Plupload

Timeline

PublishedMay 22

Latest updateMay 17

Description

Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶NVDplupload/plupload2.1.8

▶debiandebian/wordpress< wordpress 4.5.2+dfsg-1 (bookworm)

▶Debianwordpress/wordpress< 4.5.2+dfsg-1+3

▶NVDwordpress/wordpress4.5.1

Patches

Patch: codex.wordpress.org ↗Patch: core.trac.wordpress.org ↗Patch: wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-cv88-x229-26m4: Cross-site scripting (XSS) vulnerability in plupload↗2022-05-17

▶

OSV

CVE-2016-4566: Cross-site scripting (XSS) vulnerability in plupload↗2016-05-22

▶

📋Vendor Advisories

Debian

CVE-2016-4566: wordpress - Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload befor...↗2016

▶

💬Community

Bugzilla

CVE-2016-4566 CVE-2016-4567 wordpress: 4.5.2 Security Release↗2016-05-09

▶

Bugzilla

CVE-2016-4566 CVE-2016-4567 wordpress: 4.5.2 Security Release [epel-all]↗2016-05-09

▶

Bugzilla

CVE-2016-4566 CVE-2016-4567 wordpress: 4.5.2 Security Release [fedora-all]↗2016-05-09

▶