Plupload allows you to upload files using HTML5 Gears, Silverlight, Flash, BrowserPlus or normal forms, providing some unique features such as upload progress, image resizing and chunked uploads. This version of Plupload is vulnerable to cross-site scripting. The affected file is plupload.flash.swf.
The vulnerable file is included in WordPress versions 3.5, 3.4.2, 3.4.1, 3.4, 3.3.3 and 3.3.2.
Proof of Concept:
- Upgrade to the latest version of Plupload.
- WordPress Plugin Broken Link Checker Cross-Site Scripting (1.10.5)
- WordPress Plugin Events Manager Cross-Site Scripting (18.104.22.168)
- WordPress Plugin AVK-Shop Multiple Cross-Site Scripting Vulnerabilities (1.1.1)
- Nginx stack-based buffer overflow
- WordPress Plugin WP GitHub Tools Cross-Site Scripting (1.4.4)