Description
Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.swf in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by “jsinitfunctio%gn.
Recommendation
Update the mediaelement package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.11.1
- Patched version(s): 2.11.1
References
- GHSA-277w-qpxr-2549
- codex.wordpress.org
- core.trac.wordpress.org
- wordpress.org
- wpvulndb.com
- www.openwall.com
- www.securitytracker.com
- contao.org
- web.archive.org
- CVE-2016-4567
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Astro vulnerable to reflected XSS via the server islands feature - CVE-2025-64764
- Nuxt OG Image is vulnerable to reflected XSS via query parameter injection into HTML attributes - CVE-2026-34405
- bracket-template vulnerable to reflected XSS - CVE-2018-3735
- Marked vulnerable to XSS from data URIs - CVE-2017-1000427
You might also like:
- Tags:
- npm
- mediaelement
Anything's wrong? Let us know Last updated on April 25, 2024