Vigil@nce - WordPress: Cross Site Scripting of ZeroClipboard.swf
March 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use a Cross Site Scripting in the WordPress
plugins using ZeroClipboard.swf, in order to execute JavaScript
code with user’s privileges.
Impacted products: WordPress
Severity: 2/4
Creation date: 14/03/2013
DESCRIPTION OF THE VULNERABILITY
The Flash ZeroClipboard.swf animation is used to copy and paste
text. It is used by several WordPress plugins.
However, the ZeroClipboard.swf (and ZeroClipboard10.swf) file does
not correctly filters its inputs, before displaying them.
An attacker can therefore use a Cross Site Scripting in the
WordPress plugins using ZeroClipboard.swf, in order to execute
JavaScript code with user’s privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/WordPress-Cross-Site-Scripting-of-ZeroClipboard-swf-12523