Description
Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.swf in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by “jsinitfunctio%gn.
Recommendation
Update the mediaelement package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.11.1
- Patched version(s): 2.11.1
References
- GHSA-277w-qpxr-2549
- codex.wordpress.org
- core.trac.wordpress.org
- wordpress.org
- wpvulndb.com
- www.openwall.com
- www.securitytracker.com
- contao.org
- web.archive.org
- CVE-2016-4567
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- tarteaucitron Cross-site Scripting (XSS) - CVE-2025-1467
- Cross site scripting in markdown-to-jsx - CVE-2024-21535
- uPlot Prototype Pollution vulnerability - CVE-2024-21489
- FUXA local file inclusion vulnerability - CVE-2023-31718
- Tags:
- npm
- mediaelement
Anything's wrong? Let us know Last updated on April 25, 2024