CVE-2015-3439: XSS
First published: Wed Aug 05 2015(Updated: )
Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload.flash.swf shim 2.1.2 in Plupload, as used in WordPress 3.9.x, 4.0.x, and 4.1.x before 4.1.2 and other products, allows remote attackers to execute same-origin JavaScript functions via the target parameter, as demonstrated by executing a certain click function, related to _init.as and _fireEvent.as.
Credit: security@debian.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Debian GNU/Linux | =7.0 | |
| Debian GNU/Linux | =8.0 | |
| WordPress | =3.9.0 | |
| WordPress | =3.9.1 | |
| WordPress | =3.9.2 | |
| WordPress | =3.9.3 | |
| WordPress | =4.0 | |
| WordPress | =4.0.1 | |
| WordPress | =4.1 | |
| WordPress | =4.1.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://codex.wordpress.org/Version_4.1.2
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157391.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158271.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158278.html
- http://www.debian.org/security/2015/dsa-3250
- http://www.securityfocus.com/bid/74269
- http://www.securitytracker.com/id/1032207
- http://zoczus.blogspot.com/2015/04/plupload-same-origin-method-execution.html
- https://core.trac.wordpress.org/changeset/32168
- https://wordpress.org/news/2015/04/wordpress-4-1-2/
- https://wpvulndb.com/vulnerabilities/7933
Frequently Asked Questions
What is the severity of CVE-2015-3439?
CVE-2015-3439 is classified as a moderate severity cross-site scripting vulnerability.
How do I fix CVE-2015-3439?
To fix CVE-2015-3439, update WordPress to version 4.1.2 or later.
What software is affected by CVE-2015-3439?
CVE-2015-3439 affects WordPress versions 3.9.x, 4.0.x, and 4.1.x prior to 4.1.2, as well as Debian Linux versions 7.0 and 8.0.
What kind of attack can be executed using CVE-2015-3439?
CVE-2015-3439 allows remote attackers to execute arbitrary same-origin JavaScript functions due to an XSS vulnerability.
Are there any known exploits for CVE-2015-3439?
Yes, known exploits for CVE-2015-3439 can allow attackers to manipulate user interactions through crafted payloads.
- agent/type
- agent/author
- agent/references
- agent/severity
- agent/remedy
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/weakness
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/7.0
- version/debian gnu/linux/8.0
- vendor/wordpress
- canonical/wordpress
- version/wordpress/3.9.0
- version/wordpress/3.9.1
- version/wordpress/3.9.2
- version/wordpress/3.9.3
- version/wordpress/4.0
- version/wordpress/4.0.1
- version/wordpress/4.1
- version/wordpress/4.1.1