WordPress versions 4.5.1 and earlier are affected by a XSS vulnerability through Plupload,the third-party library WordPress uses for uploading files. WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js, the third-party library used for media players. MediaElement.js and Plupload have also released updates fixing these issues.
AppCheck NG includes dedicated WordPress and Adobe Flash scanning modules. This flaw was already flagged by AppCheck prior to the public disclosure under the heading “Flash Cross Site Scripting via ExternalInterface.call“. AppCheck NG does not rely on vulnerability databases but rather adopts the same approach used in consultant led penetration testing. In this case the Adobe Flash static analysis module identifies that a Flashvar variable is passed to ExternalInterface.call resulting in a Cross-Site Scripting vulnerability.
To simplify the remediation process AppCheck was updated within hours of the public disclosure to correctly identify the flaw as a know vulnerability in WordPress.
Upgrade to the latest release of WordPress, 4.5.2 at the time of publication.