CVE-2015-3439

Name of the Vulnerable Software and Affected Versions Plupload versions 2.1.2 WordPress versions 3.9.x through 4.1.1

Description A cross-site scripting (XSS) issue allows remote attackers to execute same-origin JavaScript functions via the target parameter. This can be demonstrated by executing a certain click function, related to init.as and fireEvent.as files.

Recommendations For Plupload version 2.1.2, update to a version that fixes the XSS vulnerability. For WordPress versions 3.9.x through 4.1.1, update to version 4.1.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the plupload.flash.swf shim to minimize the risk of exploitation.