CVE-2015-3439 - Surpassing Bong

Description

Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload.flash.swf shim 2.1.2 in Plupload as used in WordPress 3.9.x 4.0.x and 4.1.x before 4.1.2 and other products allows remote attackers to execute same-origin JavaScript functions via the target parameter as demonstrated by executing a certain click function related to _init.as and _fireEvent.as.

Reference

http://codex.wordpress.org/Version_4.1.2 https://core.trac.wordpress.org/changeset/32168 https://wordpress.org/news/2015/04/wordpress-4-1-2/ http://zoczus.blogspot.com/2015/04/plupload-same-origin-method-execution.html http://www.debian.org/security/2015/dsa-3250 https://wpvulndb.com/vulnerabilities/7933 http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158271.html http://www.securitytracker.com/id/1032207 http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158278.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157391.html http://www.securityfocus.com/bid/74269