Vulnerability Details : CVE-2015-3439
Potential exploit
Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload.flash.swf shim 2.1.2 in Plupload, as used in WordPress 3.9.x, 4.0.x, and 4.1.x before 4.1.2 and other products, allows remote attackers to execute same-origin JavaScript functions via the target parameter, as demonstrated by executing a certain click function, related to _init.as and _fireEvent.as.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2015-3439
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:3.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:3.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:3.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:3.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:4.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:4.1:*:*:*:*:*:*:*
Threat overview for CVE-2015-3439
Top countries where our scanners detected CVE-2015-3439
Top open port discovered on systems with this issue
22
IPs affected by CVE-2015-3439 3
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2015-3439!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2015-3439
0.97%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 83 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-3439
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2015-3439
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-3439
-
http://www.securityfocus.com/bid/74269
WordPress Multiple Security Vulnerabilities
-
http://zoczus.blogspot.com/2015/04/plupload-same-origin-method-execution.html
ZoczuS Blog: plupload - Same-Origin Method Execution [Wordpress 3.9 - 4.1.1]Exploit
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157391.html
[SECURITY] Fedora 22 Update: wordpress-4.2.1-1.fc22
-
https://core.trac.wordpress.org/changeset/32168
Changeset 32168 – WordPress Trac
-
https://wpvulndb.com/vulnerabilities/7933
WordPress 3.9-4.1.1 - Same-Origin Method Execution
-
http://www.debian.org/security/2015/dsa-3250
Debian -- Security Information -- DSA-3250-1 wordpress
-
http://www.securitytracker.com/id/1032207
WordPress Input Validation Flaws Permit Cross-Site Scripting and SQL Injection Attacks - SecurityTracker
-
https://wordpress.org/news/2015/04/wordpress-4-1-2/
News – WordPress 4.1.2 Security Release – WordPress.orgExploit;Vendor Advisory
-
http://codex.wordpress.org/Version_4.1.2
Version 4.1.2 | WordPress.orgExploit;Patch
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158271.html
[SECURITY] Fedora 21 Update: wordpress-4.2.2-1.fc21
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158278.html
[SECURITY] Fedora 20 Update: wordpress-4.2.2-1.fc20
Jump to