Szymon Gruszecki

**Name of the Vulnerable Software and Affected Versions** SWFupload versions 2.2.0.1 and earlier WordPress versions prior to 3.5.2 TinyMCE Image Manager versions 1.1 and earlier **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `buttonText` parameter. This enables attackers to execute malicious scripts on the client-side. **Recommendations** For SWFupload versions 2.2.0.1 and earlier, avoid using the `buttonText` parameter in the affected API endpoint until the issue is resolved. For WordPress versions prior to 3.5.2, update to version 3.5.2 or later. For TinyMCE Image Manager versions 1.1 and earlier, update to a version later than 1.1.