BugTraq
WordPress audio playlist functionality is affected by Cross-Site Scripting Mar 06 2017 11:03PM
Summer of Pwnage (lists securify nl)
------------------------------------------------------------------------

WordPress audio playlist functionality is affected by Cross-Site
Scripting
------------------------------------------------------------------------

Yorick Koster, July 2016

------------------------------------------------------------------------

Abstract
------------------------------------------------------------------------

Two Cross-Site Scripting vulnerabilities exists in the playlist
functionality of WordPress. These issues can be exploited by convincing
an Editor or Administrator into uploading a malicious MP3 file. Once
uploaded the issues can be triggered by a Contributor or higher using
the playlist shortcode.

------------------------------------------------------------------------

OVE ID
------------------------------------------------------------------------

OVE-20160717-0003

------------------------------------------------------------------------

Tested versions
------------------------------------------------------------------------

This issue was successfully tested on the WordPress version 4.5.3.

------------------------------------------------------------------------

Fix
------------------------------------------------------------------------

These issues are resolved in WordPress version 4.7.3.

------------------------------------------------------------------------

Details
------------------------------------------------------------------------

https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality
_is_affected_by_cross_site_scripting.html

------------------------------------------------------------------------

Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus