Cross-site scripting (XSS) vulnerability in Plupload
-
Acunetix detected this XSS vulnerability in Plupload.js. WP 6.1.1
plupload
URL: https://*********************/wp-includes/js/plupload/plupload.js
Detection method: The library’s name and version were determined based on the file’s contents.
CVE-ID: CVE-2012-2401, CVE-2013-0237
Description: Same Origin Policy bypass / Cross-site scripting (XSS) vulnerability in Plupload.as
References:
https://www.cvedetails.com/cve/CVE-2012-2401/
https://www.cvedetails.com/cve/CVE-2013-0237/Vulnerability Description
You are using one or more vulnerable JavaScript libraries. One or more vulnerabilities were reported for this version of the library. Consult Attack details and Web References for more information about the affected library and the vulnerabilities that were reported.Discovered by JavaScript Library Audit (Internal)`
How to fix this vulnerability Upgrade to the latest version. Classification CWE CWE-937 CVSS Base Score: 6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: NoneThe current version (v2.1.9) doesn’t seem to be the latest.
Plupload – multi-runtime File Uploader
* v2.1.9It would be nice to have this library updated on the next wp upgrade.
-
WordPress maintains its own patched version.
It is safe.PS: If you have checked CVE’s you are reffering to
Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products
Cross-site scripting (XSS) vulnerability in Plupload.as in Moxiecode plupload before 1.5.5, as used in WordPress before 3.5.1 and other products
As you can see, it is mentioning old WordPress versions.
- The topic ‘Cross-site scripting (XSS) vulnerability in Plupload’ is closed to new replies.