Plupload allows you to upload files using HTML5 Gears, Silverlight, Flash, BrowserPlus or normal forms, providing some unique features such as upload progress, image resizing and chunked uploads. This version of Plupload is vulnerable to cross-site scripting. The affected file is plupload.flash.swf.
The vulnerable file is included in WordPress versions 3.5, 3.4.2, 3.4.1, 3.4, 3.3.3 and 3.3.2.
Proof of Concept:
- Upgrade to the latest version of Plupload.
- WordPress Plugin BackWPup Cross-Site Scripting (3.0.12)
- WordPress Plugin Spider Calendar Cross-Site Scripting (1.1.0)
- Drupal Core 6.x Multiple Cross-Site Scripting Vulnerabilities (6.0 - 6.14)
- WordPress Plugin Blubrry PowerPress Podcasting Cross-Site Scripting (6.0.4)
- WordPress Plugin SendPress Newsletters Multiple Vulnerabilities (188.8.131.52)