Vigil@nce - WordPress: Cross Site Scripting of VKontakte API tagcloud.swf
March 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use a Cross Site Scripting in the WordPress Snazzy
Archives plugin, in order to execute JavaScript code with user’s
privileges.
Impacted products: WordPress
Severity: 2/4
Creation date: 14/03/2013
DESCRIPTION OF THE VULNERABILITY
The Snazzy Archives plugin for WordPress is used to visualize
posts. The Flash tagcloud.swf animation is used to create a cloud
with words.
However, the tagcloud.swf file of this plugin does not correctly
filters its inputs, before displaying them.
An attacker can therefore use a Cross Site Scripting in the
WordPress Snazzy Archives plugin, in order to execute JavaScript
code with user’s privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/WordPress-Cross-Site-Scripting-of-VKontakte-API-tagcloud-swf-12522