WordPress 4.5.1 Cross-Site Scripting (CVE-2016-4566)
Security Alerts / Posted May 12, 2016
WordPress 4.5.1 Cross-Site Scripting
WordPress versions 4.5.1 and earlier are affected by a XSS vulnerability through Plupload,the third-party library WordPress uses for uploading files. WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js, the third-party library used for media players. MediaElement.js and Plupload have also released updates fixing these issues.
AppCheck includes dedicated WordPress and Adobe Flash scanning modules. This flaw was already flagged by AppCheck prior to the public disclosure under the heading “Flash Cross Site Scripting via ExternalInterface.call“. AppCheck NG does not rely on vulnerability databases but rather adopts the same approach used in consultant led penetration testing. In this case the Adobe Flash static analysis module identifies that a Flashvar variable is passed to ExternalInterface.call resulting in a Cross-Site Scripting vulnerability.
To simplify the remediation process AppCheck was updated within hours of the public disclosure to correctly identify the flaw as a know vulnerability in WordPress.
Upgrade to the latest release of WordPress, 4.5.2 at the time of publication.
Get started with Appcheck
No software to download or install.
Contact us or call us 0113 887 8380