Description
Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.swf in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by “jsinitfunctio%gn.
Recommendation
Update the mediaelement package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.11.1
- Patched version(s): 2.11.1
References
- GHSA-277w-qpxr-2549
- codex.wordpress.org
- core.trac.wordpress.org
- wordpress.org
- wpvulndb.com
- www.openwall.com
- www.securitytracker.com
- contao.org
- web.archive.org
- CVE-2016-4567
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Astro vulnerable to reflected XSS via the server islands feature - CVE-2025-64764
- bracket-template vulnerable to reflected XSS - CVE-2018-3735
- Svelte vulnerable to XSS when using objects during server-side rendering - CVE-2022-25875
- Marked vulnerable to XSS from data URIs - CVE-2017-1000427
- Tags:
- npm
- mediaelement
Anything's wrong? Let us know Last updated on April 25, 2024