mailing list archives
Vulnerabilities in multiple plugins for WordPress with GDD FLVPlayer
From: "MustLive" <mustlive () websecurity com ua>
Date: Wed, 28 Aug 2013 23:52:46 +0300
These are Content Spoofing and Cross-Site Scripting vulnerabilities in
multiple web applications with GDD FLVPlayer. Earlier I wrote about
vulnerabilities in GDD FLVPlayer
(http://seclists.org/fulldisclosure/2013/Aug/247). This is video and audio
player, which is used at thousands web sites and in multiple web
Among them are the next themes for WordPress: I Love It (I wrote about it
earlier http://seclists.org/fulldisclosure/2013/Jul/116), Megusta,
Multipress, Lolzine, V1. Also this flash video and audio player is used as
standalone web application in many custom themes and in different CMS
(WordPress, Joomla) in non-themes folders.
Vulnerable are web applications which are using GDD FLVPlayer v3.635 and
Vulnerable are all versions of the next web applications: I Love It,
Megusta, Multipress, Lolzine, V1.
GDD FLVPlayer was developed by GeDeDe.
XSS (via Flash Injection) (WASC-08):
I Love It:
Full path disclosure (WASC-13):
All mentioned themes have FPD vulnerabilities in php-files (in index.php and
others), which is typically for WP themes.
In the last theme the path can be v1, v1.0, v1.3.5 and other variants. And
at some web sites Jplayer (about multiple vulnerabilities in which I wrote
earlier) is used instead of GDD FLVPlayer.
These are examples of XSS and FPD vulnerabilities, examples of 8 СS
vulnerabilities see in above-mentioned advisory.
I mentioned about these vulnerabilities at my site
Best wishes & regards,
Administrator of Websecurity web site
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Vulnerabilities in multiple plugins for WordPress with GDD FLVPlayer MustLive (Aug 28)