Medium severity6.1NVD Advisory· Published May 22, 2016· Updated May 6, 2026
CVE-2016-4567
CVE-2016-4567
Description
Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by "jsinitfunctio%gn."
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mediaelementnpm | < 2.11.1 | 2.11.1 |
contao-components/mediaelementPackagist | >= 2.14.2, < 2.21.1 | 2.21.1 |
contao/corePackagist | >= 3.0.0, < 3.5.15 | 3.5.15 |
Affected products
2- cpe:2.3:a:mediaelementjs:mediaelement.js:*:*:*:*:*:*:*:*Range: <=2.20.1
- cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*Range: <=4.5.1
Patches
234834eef8ac8Simplify allowed Flash querystring parameters
2 files changed · +18 −74
src/flash/FlashMediaElement.as+17 −73 modified@@ -25,8 +25,6 @@ package { import htmlelements.HLSMediaElement; [SWF(backgroundColor="0x000000")] // Set SWF background color - - public class FlashMediaElement extends MovieClip { private var _mediaUrl:String; @@ -99,34 +97,18 @@ package { public function FlashMediaElement() { - // check for security issues (borrowed from jPLayer) - checkFlashVars(loaderInfo.parameters); + + if (isIllegalQuerystring()) { + return; + } // allows this player to be called from a different domain than the HTML page hosting the player CONFIG::cdnBuild { Security.allowDomain("*"); Security.allowInsecureDomain('*'); } - if (securityIssue) { - return; - } - - // get parameters - // Use only FlashVars, ignore QueryString - var params:Object, pos:int, query:Object; - - params = LoaderInfo(this.root.loaderInfo).parameters; - pos = root.loaderInfo.url.indexOf('?'); - if (pos !== -1) { - query = parseStr(root.loaderInfo.url.substr(pos + 1)); - - for (var key:String in params) { - if (query.hasOwnProperty(trim(key))) { - delete params[key]; - } - } - } + var params:Object = LoaderInfo(this.root.loaderInfo).parameters; CONFIG::debugBuild { _debug = (params['debug'] != undefined) ? (String(params['debug']) == "true") : false; @@ -456,43 +438,20 @@ package { } } - // borrowed from jPLayer - // https://github.com/happyworm/jPlayer/blob/e8ca190f7f972a6a421cb95f09e138720e40ed6d/actionscript/Jplayer.as#L228 - private function checkFlashVars(p:Object):void { - var i:Number = 0; - for (var s:String in p) { - if (isIllegalChar(p[s], s === 'file')) { - securityIssue = true; // Illegal char found - } - i++; - } - if (i === 0 || securityIssue) { - directAccess = true; - } - } - - private static function parseStr (str:String) : Object { - var hash:Object = {}, - arr1:Array, arr2:Array; - - str = unescape(str).replace(/\+/g, " "); - - arr1 = str.split('&'); - if (!arr1.length) { - return {}; - } - - for (var i:uint = 0, length:uint = arr1.length; i < length; i++) { - arr2 = arr1[i].split('='); - if (!arr2.length) { - continue; - } - hash[trim(arr2[0])] = trim(arr2[1]); - } - return hash; + private function isIllegalQuerystring():Boolean { + var query:String = ''; + var pos:Number = root.loaderInfo.url.indexOf('?') ; + + if ( pos > -1 ) { + query = root.loaderInfo.url.substring( pos ); + if ( ! /^\?\d+$/.test( query ) ) { + return true; + } + } + + return false; } - private static function trim(str:String) : String { if (!str) { return str; @@ -501,21 +460,6 @@ package { return str.toString().replace(/^\s*/, '').replace(/\s*$/, ''); } - private function isIllegalChar(s:String, isUrl:Boolean):Boolean { - var illegals:String = "' \" ( ) { } * + \\ < >"; - if (isUrl) { - illegals = "\" { } \\ < >"; - } - if (Boolean(s)) { // Otherwise exception if parameter null. - for each (var illegal:String in illegals.split(' ')) { - if (s.indexOf(illegal) >= 0) { - return true; // Illegal char found - } - } - } - return false; - } - // START: Controls and events private function mouseActivityMove(event:MouseEvent):void {
src/js/me-shim.js+1 −1 modified@@ -579,7 +579,7 @@ mejs.HtmlMediaElementShim = { specialIEContainer.outerHTML = '<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="//download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" ' + 'id="' + pluginid + '" width="' + width + '" height="' + height + '" class="mejs-shim">' + -'<param name="movie" value="' + options.pluginPath + options.flashName + '?x=' + (new Date()) + '" />' + +'<param name="movie" value="' + options.pluginPath + options.flashName + '?x=' + (new Date().getTime()) + '" />' + '<param name="flashvars" value="' + initVars.join('&') + '" />' + '<param name="quality" value="high" />' + '<param name="bgcolor" value="#000000" />' +
34834eef8ac8Simplify allowed Flash querystring parameters
2 files changed · +18 −74
src/flash/FlashMediaElement.as+17 −73 modified@@ -25,8 +25,6 @@ package { import htmlelements.HLSMediaElement; [SWF(backgroundColor="0x000000")] // Set SWF background color - - public class FlashMediaElement extends MovieClip { private var _mediaUrl:String; @@ -99,34 +97,18 @@ package { public function FlashMediaElement() { - // check for security issues (borrowed from jPLayer) - checkFlashVars(loaderInfo.parameters); + + if (isIllegalQuerystring()) { + return; + } // allows this player to be called from a different domain than the HTML page hosting the player CONFIG::cdnBuild { Security.allowDomain("*"); Security.allowInsecureDomain('*'); } - if (securityIssue) { - return; - } - - // get parameters - // Use only FlashVars, ignore QueryString - var params:Object, pos:int, query:Object; - - params = LoaderInfo(this.root.loaderInfo).parameters; - pos = root.loaderInfo.url.indexOf('?'); - if (pos !== -1) { - query = parseStr(root.loaderInfo.url.substr(pos + 1)); - - for (var key:String in params) { - if (query.hasOwnProperty(trim(key))) { - delete params[key]; - } - } - } + var params:Object = LoaderInfo(this.root.loaderInfo).parameters; CONFIG::debugBuild { _debug = (params['debug'] != undefined) ? (String(params['debug']) == "true") : false; @@ -456,43 +438,20 @@ package { } } - // borrowed from jPLayer - // https://github.com/happyworm/jPlayer/blob/e8ca190f7f972a6a421cb95f09e138720e40ed6d/actionscript/Jplayer.as#L228 - private function checkFlashVars(p:Object):void { - var i:Number = 0; - for (var s:String in p) { - if (isIllegalChar(p[s], s === 'file')) { - securityIssue = true; // Illegal char found - } - i++; - } - if (i === 0 || securityIssue) { - directAccess = true; - } - } - - private static function parseStr (str:String) : Object { - var hash:Object = {}, - arr1:Array, arr2:Array; - - str = unescape(str).replace(/\+/g, " "); - - arr1 = str.split('&'); - if (!arr1.length) { - return {}; - } - - for (var i:uint = 0, length:uint = arr1.length; i < length; i++) { - arr2 = arr1[i].split('='); - if (!arr2.length) { - continue; - } - hash[trim(arr2[0])] = trim(arr2[1]); - } - return hash; + private function isIllegalQuerystring():Boolean { + var query:String = ''; + var pos:Number = root.loaderInfo.url.indexOf('?') ; + + if ( pos > -1 ) { + query = root.loaderInfo.url.substring( pos ); + if ( ! /^\?\d+$/.test( query ) ) { + return true; + } + } + + return false; } - private static function trim(str:String) : String { if (!str) { return str; @@ -501,21 +460,6 @@ package { return str.toString().replace(/^\s*/, '').replace(/\s*$/, ''); } - private function isIllegalChar(s:String, isUrl:Boolean):Boolean { - var illegals:String = "' \" ( ) { } * + \\ < >"; - if (isUrl) { - illegals = "\" { } \\ < >"; - } - if (Boolean(s)) { // Otherwise exception if parameter null. - for each (var illegal:String in illegals.split(' ')) { - if (s.indexOf(illegal) >= 0) { - return true; // Illegal char found - } - } - } - return false; - } - // START: Controls and events private function mouseActivityMove(event:MouseEvent):void {
src/js/me-shim.js+1 −1 modified@@ -579,7 +579,7 @@ mejs.HtmlMediaElementShim = { specialIEContainer.outerHTML = '<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="//download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" ' + 'id="' + pluginid + '" width="' + width + '" height="' + height + '" class="mejs-shim">' + -'<param name="movie" value="' + options.pluginPath + options.flashName + '?x=' + (new Date()) + '" />' + +'<param name="movie" value="' + options.pluginPath + options.flashName + '?x=' + (new Date().getTime()) + '" />' + '<param name="flashvars" value="' + initVars.join('&') + '" />' + '<param name="quality" value="high" />' + '<param name="bgcolor" value="#000000" />' +
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
19- codex.wordpress.org/Version_4.5.2nvdPatchVendor AdvisoryWEB
- core.trac.wordpress.org/changeset/37371nvdPatchWEB
- github.com/johndyer/mediaelement/blob/master/changelog.mdnvdPatchVendor AdvisoryWEB
- github.com/johndyer/mediaelement/commit/34834eef8ac830b9145df169ec22016a4350f06envdPatchVendor AdvisoryWEB
- wordpress.org/news/2016/05/wordpress-4-5-2/nvdPatchVendor Advisory
- www.securitytracker.com/id/1035818nvdThird Party AdvisoryVDB EntryWEB
- gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9cnvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-277w-qpxr-2549ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-4567ghsaADVISORY
- wpvulndb.com/vulnerabilities/8488nvdThird Party AdvisoryWEB
- www.openwall.com/lists/oss-security/2016/05/07/2nvdWEB
- contao.org/en/news/contao-3_5_15.htmlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/contao-components/mediaelement/CVE-2016-4567.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/CVE-2016-4567.yamlghsaWEB
- github.com/mediaelement/mediaelement/blob/b992ccf5f0c04a207d98bbb0868420751a61ec90/changelog.mdghsaWEB
- github.com/mediaelement/mediaelement/blob/master/changelog.mdghsaWEB
- github.com/mediaelement/mediaelement/commit/34834eef8ac830b9145df169ec22016a4350f06eghsaWEB
- web.archive.org/web/20170205142412/http://www.securitytracker.com/id/1035818ghsaWEB
- wordpress.org/news/2016/05/wordpress-4-5-2ghsaWEB
News mentions
0No linked articles in our index yet.