Description
The default configuration of SWFUpload in WordPress before 3.5.2 has an unrestrictive security.allowDomain setting, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted web site.
Remediation
References
Related Vulnerabilities
WordPress Plugin Slider by 10Web-Responsive Image Slider Unspecified Vulnerability (1.1.9)
WordPress Plugin WP-RecentComments SQL Injection (2.0.7)
WordPress Plugin My Calendar Cross-Site Scripting (2.4.18)
Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-5014)
WeBid Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-47397)