WordPress MediaElement Cross-Site Scripting

OWASP 2013-A3 OWASP 2017-A7 OWASP PC-C4 PCI v3.2- CAPEC-19 CWE-79 HIPAA-79 ISO27001-A.14.2.5 WASC-8

Cross-site Scripting (XSS) is a client-side code injection attack where an attacker can execute malicious scripts into a website or web application. The old version of WordPress(3.7-4.9.1) is vulnerable to the Cross-Site Scripting vulnerability. It was discovered in the Flash fallback files in MediaElement. It is a library that is included with WordPress. An attacker will be able to inject malicious HTML and script code into the web application. The aftermath of this vulnerability includes altering the appearance and will widen the chance for a successful attack against end users. An attacker can misuse this vulnerability to execute malicious script code into the browser. This may allow the attacker to steal cookie-based authentication credentials.

The WordPress before the version 4.9.2 had XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement). This vulnerability was found in the Flash fallback files in MediaElement. MediaElement is a library that is included with WordPress. Flash files are not being used by most use cases, it has been removed from WordPress.

Impact and Fixes

Latest Articles