CVE-2016-4567
MediaElement Vulnerable to Reflected XSS
6.1
MEDIUM
CVSS 3.1
EPSS 3.2%
Description
Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.swf in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by "jsinitfunctio%gn."
How to fix CVE-2016-4567
To remediate CVE-2016-4567, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 2.11.1 or later
- —upgrade to 2.21.1 or later
- —upgrade to 3.5.15 or later
Is CVE-2016-4567 being exploited?
Low — EPSS is 3.2%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0
- from 0, < 2.11.1
- >= 2.14.2, < 2.21.1
- >= 3.0.0, < 3.5.15
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |