WordPress MediaElement Cross-Site Scripting

Sooraj V Nair
Published on
26 Jun 2022

Cross-site Scripting (XSS) is a client-side code injection attack where an attacker can execute malicious scripts into a website or web application. The old version of WordPress(3.7-4.9.1) is vulnerable to the Cross-Site Scripting vulnerability. It was discovered in the Flash fallback files in MediaElement. It is a library that is included with WordPress. An attacker will be able to inject malicious HTML and script code into the web application. The aftermath of this vulnerability includes altering the appearance and will widen the chance for a successful attack against end users. An attacker can misuse this vulnerability to execute malicious script code into the browser. This may allow the attacker to steal cookie-based authentication credentials.

The WordPress before the version 4.9.2 had XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement). This vulnerability was found in the Flash fallback files in MediaElement. MediaElement is a library that is included with WordPress. Flash files are not being used by most use cases, it has been removed from WordPress.

Impact and Fixes

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Sooraj V Nair
Sooraj V Nair
Cyber Security Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.