Description
WordPress through 4.8.2, when domain-based flashmediaelement.swf sandboxing is not used, allows remote attackers to conduct cross-domain Flash injection (XSF) attacks by leveraging code contained within the wp-includes/js/mediaelement/flashmediaelement.swf file.
Remediation
References
Related Vulnerabilities
WordPress 4.4.x Same Origin Method Execution (SOME) Vulnerability (4.4 - 4.4.2)
WordPress Plugin Htaccess by BestWebSoft Cross-Site Scripting (1.4)
WordPress 3.5.1 Multiple Vulnerabilities (2.0 - 3.5.1)
WordPress Plugin Ninja Announcements Lite 'ninja_annc.php' SQL Injection (1.2.3)
PostgreSQL Out-of-bounds Write Vulnerability (CVE-2015-0242)