CVE-2012-2401

high

Description

Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of the domain from which the SWF content was loaded, which allows remote attackers to bypass the Same Origin Policy via crafted content.

References

https://nealpoole.com/blog/2012/05/xss-and-csrf-via-swf-applets-swfupload-plupload/

https://exchange.xforce.ibmcloud.com/vulnerabilities/75208

http://www.securityfocus.com/bid/53192

http://www.plupload.com/punbb/viewtopic.php?id=1685

http://www.debian.org/security/2012/dsa-2470

http://wordpress.org/news/2012/04/wordpress-3-3-2/

http://secunia.com/advisories/49138

http://osvdb.org/81461

http://core.trac.wordpress.org/browser/branches/3.3/wp-includes/js/plupload?rev=20487

http://core.trac.wordpress.org/browser/branches/3.3/wp-includes/js/plupload/changelog.txt?rev=20487

Details

Source: Mitre, NVD

Published: 2012-04-21

Updated: 2017-12-19

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 8.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Severity: High