Unrated severityNVD Advisory· Published Aug 5, 2015· Updated May 6, 2026
CVE-2015-3439
CVE-2015-3439
Description
Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload.flash.swf shim 2.1.2 in Plupload, as used in WordPress 3.9.x, 4.0.x, and 4.1.x before 4.1.2 and other products, allows remote attackers to execute same-origin JavaScript functions via the target parameter, as demonstrated by executing a certain click function, related to _init.as and _fireEvent.as.
Affected products
10cpe:2.3:a:wordpress:wordpress:3.9.0:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:wordpress:wordpress:3.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:3.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:3.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:3.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:4.1:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:4.1.1:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- codex.wordpress.org/Version_4.1.2nvdExploitPatch
- zoczus.blogspot.com/2015/04/plupload-same-origin-method-execution.htmlnvdExploit
- wordpress.org/news/2015/04/wordpress-4-1-2/nvdExploitVendor Advisory
- lists.fedoraproject.org/pipermail/package-announce/2015-May/157391.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2015-May/158271.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2015-May/158278.htmlnvd
- www.debian.org/security/2015/dsa-3250nvd
- www.securityfocus.com/bid/74269nvd
- www.securitytracker.com/id/1032207nvd
- core.trac.wordpress.org/changeset/32168nvd
- wpvulndb.com/vulnerabilities/7933nvd
News mentions
0No linked articles in our index yet.