Description
Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.swf in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by “jsinitfunctio%gn.
Recommendation
Update the mediaelement package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.11.1
- Patched version(s): 2.11.1
References
- GHSA-277w-qpxr-2549
- codex.wordpress.org
- core.trac.wordpress.org
- wordpress.org
- wpvulndb.com
- www.openwall.com
- www.securitytracker.com
- contao.org
- web.archive.org
- CVE-2016-4567
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Astro vulnerable to reflected XSS via the server islands feature - CVE-2025-64764
- bracket-template vulnerable to reflected XSS - CVE-2018-3735
- Pandao Editor.md vulnerable to cross-site scripting (XSS) in iframe src parameter - CVE-2020-19697
- Astro development server error page is vulnerable to reflected Cross-site Scripting - CVE-2025-64745
- Tags:
- npm
- mediaelement
Anything's wrong? Let us know Last updated on April 25, 2024