Search criteria
6 vulnerabilities found for mediaelement.js by mediaelementjs
CVE-2022-4699 (GCVE-0-2022-4699)
Vulnerability from nvd – Published: 2023-01-30 20:31 – Updated: 2025-03-27 19:24
VLAI
Title
MediaElement.js – HTML5 Video & Audio Player <= 4.2.8 - Contributor+ Stored XSS via Shortcode
Summary
The MediaElement.js WordPress plugin through 4.2.8 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high-privilege users such as admins.
Severity
5.4 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 Cross-Site Scripting (XSS)
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/e57f38d9-889a-4f… | exploitvdb-entrytechnical-description |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | MediaElement.js |
Affected:
0 , ≤ 4.2.8
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:48:39.997Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/e57f38d9-889a-4f82-b20d-3676ccf9c6f9"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-4699",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T19:23:19.355601Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T19:24:11.989Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "affected",
"product": "MediaElement.js",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "4.2.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lana Codes"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The MediaElement.js WordPress plugin through 4.2.8 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high-privilege users such as admins."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-30T20:31:47.064Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/e57f38d9-889a-4f82-b20d-3676ccf9c6f9"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "MediaElement.js \u2013 HTML5 Video \u0026 Audio Player \u003c= 4.2.8 - Contributor+ Stored XSS via Shortcode",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-4699",
"datePublished": "2023-01-30T20:31:47.064Z",
"dateReserved": "2022-12-23T16:31:50.044Z",
"dateUpdated": "2025-03-27T19:24:11.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-4567 (GCVE-0-2016-4567)
Vulnerability from nvd – Published: 2016-05-22 01:00 – Updated: 2024-08-06 00:32
VLAI
Summary
Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by "jsinitfunctio%gn."
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/johndyer/mediaelement/blob/mas… | x_refsource_CONFIRM |
| http://www.openwall.com/lists/oss-security/2016/05/07/2 | mailing-listx_refsource_MLIST |
| https://codex.wordpress.org/Version_4.5.2 | x_refsource_CONFIRM |
| http://www.securitytracker.com/id/1035818 | vdb-entryx_refsource_SECTRACK |
| https://gist.github.com/cure53/df34ea68c26441f3ae… | x_refsource_MISC |
| https://github.com/johndyer/mediaelement/commit/3… | x_refsource_CONFIRM |
| https://wpvulndb.com/vulnerabilities/8488 | x_refsource_MISC |
| https://wordpress.org/news/2016/05/wordpress-4-5-2/ | x_refsource_CONFIRM |
| https://core.trac.wordpress.org/changeset/37371 | x_refsource_CONFIRM |
Date Public
2016-05-07 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:32:26.013Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/johndyer/mediaelement/blob/master/changelog.md"
},
{
"name": "[oss-security] 20160507 CVE Request: wordpress and mediaelement",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/05/07/2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://codex.wordpress.org/Version_4.5.2"
},
{
"name": "1035818",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1035818"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/johndyer/mediaelement/commit/34834eef8ac830b9145df169ec22016a4350f06e"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/8488"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/news/2016/05/wordpress-4-5-2/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://core.trac.wordpress.org/changeset/37371"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-05-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by \"jsinitfunctio%gn.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-11-29T16:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/johndyer/mediaelement/blob/master/changelog.md"
},
{
"name": "[oss-security] 20160507 CVE Request: wordpress and mediaelement",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/05/07/2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://codex.wordpress.org/Version_4.5.2"
},
{
"name": "1035818",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1035818"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/johndyer/mediaelement/commit/34834eef8ac830b9145df169ec22016a4350f06e"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/8488"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/news/2016/05/wordpress-4-5-2/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://core.trac.wordpress.org/changeset/37371"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-4567",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by \"jsinitfunctio%gn.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/johndyer/mediaelement/blob/master/changelog.md",
"refsource": "CONFIRM",
"url": "https://github.com/johndyer/mediaelement/blob/master/changelog.md"
},
{
"name": "[oss-security] 20160507 CVE Request: wordpress and mediaelement",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/05/07/2"
},
{
"name": "https://codex.wordpress.org/Version_4.5.2",
"refsource": "CONFIRM",
"url": "https://codex.wordpress.org/Version_4.5.2"
},
{
"name": "1035818",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1035818"
},
{
"name": "https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c",
"refsource": "MISC",
"url": "https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"
},
{
"name": "https://github.com/johndyer/mediaelement/commit/34834eef8ac830b9145df169ec22016a4350f06e",
"refsource": "CONFIRM",
"url": "https://github.com/johndyer/mediaelement/commit/34834eef8ac830b9145df169ec22016a4350f06e"
},
{
"name": "https://wpvulndb.com/vulnerabilities/8488",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/8488"
},
{
"name": "https://wordpress.org/news/2016/05/wordpress-4-5-2/",
"refsource": "CONFIRM",
"url": "https://wordpress.org/news/2016/05/wordpress-4-5-2/"
},
{
"name": "https://core.trac.wordpress.org/changeset/37371",
"refsource": "CONFIRM",
"url": "https://core.trac.wordpress.org/changeset/37371"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-4567",
"datePublished": "2016-05-22T01:00:00.000Z",
"dateReserved": "2016-05-07T00:00:00.000Z",
"dateUpdated": "2024-08-06T00:32:26.013Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-1967 (GCVE-0-2013-1967)
Vulnerability from nvd – Published: 2014-02-05 15:00 – Updated: 2024-08-06 15:20
VLAI
Summary
Cross-site scripting (XSS) vulnerability in flashmediaelement.swf in MediaElement.js before 2.11.2, as used in ownCloud Server 5.0.x before 5.0.5 and 4.5.x before 4.5.10, allows remote attackers to inject arbitrary web script or HTML via the file parameter.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entryx_refsource_XF |
| https://github.com/johndyer/mediaelement/commit/9… | x_refsource_CONFIRM |
| https://bugzilla.redhat.com/show_bug.cgi?id=955307 | x_refsource_CONFIRM |
| http://seclists.org/oss-sec/2013/q2/111 | mailing-listx_refsource_MLIST |
| http://secunia.com/advisories/53079 | third-party-advisoryx_refsource_SECUNIA |
| http://owncloud.org/about/security/advisories/oC-… | x_refsource_CONFIRM |
| http://seclists.org/oss-sec/2013/q2/133 | mailing-listx_refsource_MLIST |
| https://github.com/johndyer/mediaelement/tree/2.11.1 | x_refsource_CONFIRM |
Date Public
2013-04-11 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:20:37.506Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "mediaelementjs-flashmediaelement-xss(83647)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83647"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/johndyer/mediaelement/commit/9223dc6bfc50251a9a3cba0210e71be80fc38ecd"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=955307"
},
{
"name": "[oss-security] 20130417 Fwd: Re: CVE Request: ownCloud 5.0.5 and 4.5.10",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2013/q2/111"
},
{
"name": "53079",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/53079"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-017"
},
{
"name": "[oss-security] 20130421 ownCloud Security Advisories (2013-017, 2013-018)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2013/q2/133"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/johndyer/mediaelement/tree/2.11.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-04-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in flashmediaelement.swf in MediaElement.js before 2.11.2, as used in ownCloud Server 5.0.x before 5.0.5 and 4.5.x before 4.5.10, allows remote attackers to inject arbitrary web script or HTML via the file parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "mediaelementjs-flashmediaelement-xss(83647)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83647"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/johndyer/mediaelement/commit/9223dc6bfc50251a9a3cba0210e71be80fc38ecd"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=955307"
},
{
"name": "[oss-security] 20130417 Fwd: Re: CVE Request: ownCloud 5.0.5 and 4.5.10",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2013/q2/111"
},
{
"name": "53079",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/53079"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-017"
},
{
"name": "[oss-security] 20130421 ownCloud Security Advisories (2013-017, 2013-018)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2013/q2/133"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/johndyer/mediaelement/tree/2.11.1"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-1967",
"datePublished": "2014-02-05T15:00:00.000Z",
"dateReserved": "2013-02-19T00:00:00.000Z",
"dateUpdated": "2024-08-06T15:20:37.506Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-4699 (GCVE-0-2022-4699)
Vulnerability from cvelistv5 – Published: 2023-01-30 20:31 – Updated: 2025-03-27 19:24
VLAI
Title
MediaElement.js – HTML5 Video & Audio Player <= 4.2.8 - Contributor+ Stored XSS via Shortcode
Summary
The MediaElement.js WordPress plugin through 4.2.8 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high-privilege users such as admins.
Severity
5.4 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 Cross-Site Scripting (XSS)
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/e57f38d9-889a-4f… | exploitvdb-entrytechnical-description |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | MediaElement.js |
Affected:
0 , ≤ 4.2.8
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:48:39.997Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/e57f38d9-889a-4f82-b20d-3676ccf9c6f9"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-4699",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T19:23:19.355601Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T19:24:11.989Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "affected",
"product": "MediaElement.js",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "4.2.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lana Codes"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The MediaElement.js WordPress plugin through 4.2.8 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high-privilege users such as admins."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-30T20:31:47.064Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/e57f38d9-889a-4f82-b20d-3676ccf9c6f9"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "MediaElement.js \u2013 HTML5 Video \u0026 Audio Player \u003c= 4.2.8 - Contributor+ Stored XSS via Shortcode",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-4699",
"datePublished": "2023-01-30T20:31:47.064Z",
"dateReserved": "2022-12-23T16:31:50.044Z",
"dateUpdated": "2025-03-27T19:24:11.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-4567 (GCVE-0-2016-4567)
Vulnerability from cvelistv5 – Published: 2016-05-22 01:00 – Updated: 2024-08-06 00:32
VLAI
Summary
Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by "jsinitfunctio%gn."
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/johndyer/mediaelement/blob/mas… | x_refsource_CONFIRM |
| http://www.openwall.com/lists/oss-security/2016/05/07/2 | mailing-listx_refsource_MLIST |
| https://codex.wordpress.org/Version_4.5.2 | x_refsource_CONFIRM |
| http://www.securitytracker.com/id/1035818 | vdb-entryx_refsource_SECTRACK |
| https://gist.github.com/cure53/df34ea68c26441f3ae… | x_refsource_MISC |
| https://github.com/johndyer/mediaelement/commit/3… | x_refsource_CONFIRM |
| https://wpvulndb.com/vulnerabilities/8488 | x_refsource_MISC |
| https://wordpress.org/news/2016/05/wordpress-4-5-2/ | x_refsource_CONFIRM |
| https://core.trac.wordpress.org/changeset/37371 | x_refsource_CONFIRM |
Date Public
2016-05-07 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:32:26.013Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/johndyer/mediaelement/blob/master/changelog.md"
},
{
"name": "[oss-security] 20160507 CVE Request: wordpress and mediaelement",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/05/07/2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://codex.wordpress.org/Version_4.5.2"
},
{
"name": "1035818",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1035818"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/johndyer/mediaelement/commit/34834eef8ac830b9145df169ec22016a4350f06e"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/8488"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/news/2016/05/wordpress-4-5-2/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://core.trac.wordpress.org/changeset/37371"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-05-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by \"jsinitfunctio%gn.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-11-29T16:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/johndyer/mediaelement/blob/master/changelog.md"
},
{
"name": "[oss-security] 20160507 CVE Request: wordpress and mediaelement",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/05/07/2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://codex.wordpress.org/Version_4.5.2"
},
{
"name": "1035818",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1035818"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/johndyer/mediaelement/commit/34834eef8ac830b9145df169ec22016a4350f06e"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/8488"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/news/2016/05/wordpress-4-5-2/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://core.trac.wordpress.org/changeset/37371"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-4567",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by \"jsinitfunctio%gn.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/johndyer/mediaelement/blob/master/changelog.md",
"refsource": "CONFIRM",
"url": "https://github.com/johndyer/mediaelement/blob/master/changelog.md"
},
{
"name": "[oss-security] 20160507 CVE Request: wordpress and mediaelement",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/05/07/2"
},
{
"name": "https://codex.wordpress.org/Version_4.5.2",
"refsource": "CONFIRM",
"url": "https://codex.wordpress.org/Version_4.5.2"
},
{
"name": "1035818",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1035818"
},
{
"name": "https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c",
"refsource": "MISC",
"url": "https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"
},
{
"name": "https://github.com/johndyer/mediaelement/commit/34834eef8ac830b9145df169ec22016a4350f06e",
"refsource": "CONFIRM",
"url": "https://github.com/johndyer/mediaelement/commit/34834eef8ac830b9145df169ec22016a4350f06e"
},
{
"name": "https://wpvulndb.com/vulnerabilities/8488",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/8488"
},
{
"name": "https://wordpress.org/news/2016/05/wordpress-4-5-2/",
"refsource": "CONFIRM",
"url": "https://wordpress.org/news/2016/05/wordpress-4-5-2/"
},
{
"name": "https://core.trac.wordpress.org/changeset/37371",
"refsource": "CONFIRM",
"url": "https://core.trac.wordpress.org/changeset/37371"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-4567",
"datePublished": "2016-05-22T01:00:00.000Z",
"dateReserved": "2016-05-07T00:00:00.000Z",
"dateUpdated": "2024-08-06T00:32:26.013Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-1967 (GCVE-0-2013-1967)
Vulnerability from cvelistv5 – Published: 2014-02-05 15:00 – Updated: 2024-08-06 15:20
VLAI
Summary
Cross-site scripting (XSS) vulnerability in flashmediaelement.swf in MediaElement.js before 2.11.2, as used in ownCloud Server 5.0.x before 5.0.5 and 4.5.x before 4.5.10, allows remote attackers to inject arbitrary web script or HTML via the file parameter.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entryx_refsource_XF |
| https://github.com/johndyer/mediaelement/commit/9… | x_refsource_CONFIRM |
| https://bugzilla.redhat.com/show_bug.cgi?id=955307 | x_refsource_CONFIRM |
| http://seclists.org/oss-sec/2013/q2/111 | mailing-listx_refsource_MLIST |
| http://secunia.com/advisories/53079 | third-party-advisoryx_refsource_SECUNIA |
| http://owncloud.org/about/security/advisories/oC-… | x_refsource_CONFIRM |
| http://seclists.org/oss-sec/2013/q2/133 | mailing-listx_refsource_MLIST |
| https://github.com/johndyer/mediaelement/tree/2.11.1 | x_refsource_CONFIRM |
Date Public
2013-04-11 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:20:37.506Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "mediaelementjs-flashmediaelement-xss(83647)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83647"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/johndyer/mediaelement/commit/9223dc6bfc50251a9a3cba0210e71be80fc38ecd"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=955307"
},
{
"name": "[oss-security] 20130417 Fwd: Re: CVE Request: ownCloud 5.0.5 and 4.5.10",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2013/q2/111"
},
{
"name": "53079",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/53079"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-017"
},
{
"name": "[oss-security] 20130421 ownCloud Security Advisories (2013-017, 2013-018)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2013/q2/133"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/johndyer/mediaelement/tree/2.11.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-04-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in flashmediaelement.swf in MediaElement.js before 2.11.2, as used in ownCloud Server 5.0.x before 5.0.5 and 4.5.x before 4.5.10, allows remote attackers to inject arbitrary web script or HTML via the file parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "mediaelementjs-flashmediaelement-xss(83647)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83647"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/johndyer/mediaelement/commit/9223dc6bfc50251a9a3cba0210e71be80fc38ecd"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=955307"
},
{
"name": "[oss-security] 20130417 Fwd: Re: CVE Request: ownCloud 5.0.5 and 4.5.10",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2013/q2/111"
},
{
"name": "53079",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/53079"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-017"
},
{
"name": "[oss-security] 20130421 ownCloud Security Advisories (2013-017, 2013-018)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2013/q2/133"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/johndyer/mediaelement/tree/2.11.1"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-1967",
"datePublished": "2014-02-05T15:00:00.000Z",
"dateReserved": "2013-02-19T00:00:00.000Z",
"dateUpdated": "2024-08-06T15:20:37.506Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}