Vulnerability Description
Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of the domain from which the SWF content was loaded, which allows remote attackers to bypass the Same Origin Policy via crafted content.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Moxiecode | Plupload | <= 1.5.3 |
| Wordpress | Wordpress | <= 3.3.1 |
Related Weaknesses (CWE)
References
- http://core.trac.wordpress.org/browser/branches/3.3/wp-includes/js/plupload/chan
- http://core.trac.wordpress.org/browser/branches/3.3/wp-includes/js/plupload?rev=
- http://osvdb.org/81461
- http://secunia.com/advisories/49138Vendor Advisory
- http://wordpress.org/news/2012/04/wordpress-3-3-2/PatchVendor Advisory
- http://www.debian.org/security/2012/dsa-2470
- http://www.plupload.com/punbb/viewtopic.php?id=1685
- http://www.securityfocus.com/bid/53192
- https://exchange.xforce.ibmcloud.com/vulnerabilities/75208
- https://nealpoole.com/blog/2012/05/xss-and-csrf-via-swf-applets-swfupload-pluplo
- http://core.trac.wordpress.org/browser/branches/3.3/wp-includes/js/plupload/chan
- http://core.trac.wordpress.org/browser/branches/3.3/wp-includes/js/plupload?rev=
- http://osvdb.org/81461
- http://secunia.com/advisories/49138Vendor Advisory
- http://wordpress.org/news/2012/04/wordpress-3-3-2/PatchVendor Advisory
FAQ
What is CVE-2012-2401?
CVE-2012-2401 is a vulnerability with a CVSS score of 5.0 (MEDIUM). Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of the domain from which the SWF content was loaded, which allows ...
How severe is CVE-2012-2401?
CVE-2012-2401 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2012-2401?
Check the references section above for vendor advisories and patch information. Affected products include: Moxiecode Plupload, Wordpress Wordpress.