Bugtraq: WordPress audio playlist functionality is affected by Cross-Site Scripting

————————————————————————

WordPress audio playlist functionality is affected by Cross-Site

Scripting

————————————————————————

Yorick Koster, July 2016

————————————————————————

Abstract

————————————————————————

Two Cross-Site Scripting vulnerabilities exists in the playlist

functionality of WordPress. These issues can be exploited by convincing

an Editor or Administrator into uploading a malicious MP3 file. Once

uploaded the issues can be triggered by a Contributor or higher using

the playlist shortcode.

————————————————————————

OVE ID

————————————————————————

OVE-20160717-0003

————————————————————————

Tested versions

————————————————————————

This issue was successfully tested on the WordPress version 4.5.3.

————————————————————————

Fix

————————————————————————

These issues are resolved in WordPress version 4.7.3.

————————————————————————

Details

————————————————————————

https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality

_is_affected_by_cross_site_scripting.html

————————————————————————

Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its

goal is to contribute to the security of popular, widely used OSS

projects in a fun and educational way.

[ reply ]

Source: SecurityFocus Vulnerabilities @ March 6, 2017 at 11:04PM

0