Hello list! This are Content Spoofing vulnerabilities in TinyMCE and WordPress. Which I've disclosed on Wednesday. In 2011 I already wrote about Content Spoofing in Moxieplayer, when I wrote concerning multiple vulnerabilities in TinyMCE (http://securityvulns.ru/docs27349.html), which is a component of Media plugin for TinyMCE (it's a part of core of TinyMCE). This visual editor is bundled with hundreds of web applications, particularly with WordPress. This flash file is bundled with WP since version 3.3. ------------------------- Affected products: ------------------------- Vulnerable are versions TinyMCE 3.4b2 - 4.0b3. For the first vulnerability versions WordPress 3.3 - 3.4.2 are vulnerable. For the second vulnerability versions WordPress 3.3 - 3.5.1 are vulnerable. This hole was fixed in WordPress 3.5.2 (note that WP developers incorrectly called this CS hole as XSS in announcement at their site, at that in codex they wrote correctly). ---------- Details: ---------- Content Spoofing (WASC-12): If previous vulnerability, which I found in 2011, looked the next (since TinyMCE 3.4b2 and in version 3.4.7 it was fixed): http://site/moxieplayer.swf?url=http://site2/1.flv Then recently new vulnerability was found (by Wan Ikram), which allows to bypass protection and conduct CS attack: http://site/moxieplayer.swf#?url=http://site2/1.flv In June this vulnerability was fixed. Updated version of Moxieplayer is present in TinyMCE 4.0. In WordPress the attack with using of this flash-file looks the next. The first variant (WP 3.3 - 3.4.2): http://site/wp-includes/js/tinymce/plugins/media/moxieplayer.swf?url=http://site2/1.flv The second variant (WP 3.3 - 3.5.1): http://site/wp-includes/js/tinymce/plugins/media/moxieplayer.swf#?url=http://site2/1.flv ------------ Timeline: ------------ 2013.06.21 - released WP 3.5.2 with updated version of Moxieplayer. 2013.06.26 - disclosed at my site (http://websecurity.com.ua/6604/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua