WordPress 4.5.1 Cross-Site Scripting (CVE-2016-4566)

WordPress 4.5.1 Cross-Site Scripting

 

WordPress versions 4.5.1 and earlier are affected by a XSS vulnerability through Plupload,the third-party library WordPress uses for uploading files. WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js, the third-party library used for media players. MediaElement.js and Plupload have also released updates fixing these issues.

 

Scanning WordPress

AppCheck includes dedicated WordPress and Adobe Flash scanning modules. This flaw was already flagged by AppCheck prior to the public disclosure under the heading “Flash Cross Site Scripting via ExternalInterface.call“. AppCheck NG does not rely on vulnerability databases but rather adopts the same approach used in consultant led penetration testing. In this case the Adobe Flash static analysis module identifies that a Flashvar variable is passed to ExternalInterface.call resulting in a Cross-Site Scripting vulnerability.

To simplify the remediation process AppCheck was updated within hours of the public disclosure to correctly identify the flaw as a know vulnerability in WordPress.

 

Exploit Examples

Vulnerable versions will execute the javascript code alert(1) when the following URI are accessed in the Chrome web browser:

http://[WORDPRESS_SITE]/wp-includes/js/mediaelement/flashmediaelement.swf?jsinitfunctio%gn=alert`1`

http://[WORDPRESS_SITE]/wp-includes/js/plupload/plupload.flash.swf?target%g=alert&uid%g=hello&

Solution

Upgrade to the latest release of WordPress, 4.5.2 at the time of publication.

Get started with Appcheck

No software to download or install.
Contact us or call us 0113 887 8380

Start your free trial