CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4699 – MediaElement.js – HTML5 Video & Audio Player <= 4.2.8 - Contributor+ Stored XSS via Shortcode
https://notcve.org/view.php?id=CVE-2022-4699
The MediaElement.js WordPress plugin through 4.2.8 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high-privilege users such as admins. The MediaElement.js – HTML5 Video & Audio Player for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in versions up to, and including, 4.2.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page • https://wpscan.com/vulnerability/e57f38d9-889a-4f82-b20d-3676ccf9c6f9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2016-4567 – WordPress Core < 4.5.2 - Cross-Site Scripting via MediaElement.js
https://notcve.org/view.php?id=CVE-2016-4567
Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by "jsinitfunctio%gn." Vulnerabilidad de XSS en flash/FlashMediaElement.as en MediaElement.js en versiones anteriores a 2.21.0, como se utiliza en WordPress en versiones anteriores a 4.5.2, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un formulario ofuscado del parámetro jsinitfunction, como es demostrado por "jsinitfunctio%gn". • http://www.openwall.com/lists/oss-security/2016/05/07/2 http://www.securitytracker.com/id/1035818 https://codex.wordpress.org/Version_4.5.2 https://core.trac.wordpress.org/changeset/37371 https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c https://github.com/johndyer/mediaelement/blob/master/changelog.md https://github.com/johndyer/mediaelement/commit/34834eef8ac830b9145df169ec22016a4350f06e https://wordpress.org/news/2016/05/wordpress-4-5-2 https://wpvulndb.com/vulnerabilities/8488 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 86EXPL: 1CVE-2013-1967
https://notcve.org/view.php?id=CVE-2013-1967
Cross-site scripting (XSS) vulnerability in flashmediaelement.swf in MediaElement.js before 2.11.2, as used in ownCloud Server 5.0.x before 5.0.5 and 4.5.x before 4.5.10, allows remote attackers to inject arbitrary web script or HTML via the file parameter. Vulnerabilidad de XSS en flashmediaelement.swf en MediaElement.js anterior a 2.11.2, utilizado en OwnCloud Server 5.0.x anterior a 5.0.5 y 4.5.x anterior a 4.5.10, permite a atacantes remotos inyectar script Web o HTML arbitrario a través del parámetro file. • http://owncloud.org/about/security/advisories/oC-SA-2013-017 http://seclists.org/oss-sec/2013/q2/111 http://seclists.org/oss-sec/2013/q2/133 http://secunia.com/advisories/53079 https://bugzilla.redhat.com/show_bug.cgi?id=955307 https://exchange.xforce.ibmcloud.com/vulnerabilities/83647 https://github.com/johndyer/mediaelement/commit/9223dc6bfc50251a9a3cba0210e71be80fc38ecd https://github.com/johndyer/mediaelement/tree/2.11.1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •