Hello list! These are Cross-Site Scripting, Content Spoofing and Full path disclosure vulnerabilities in I Love It theme for WordPress. This is commercial (premium) theme. ------------------------- Affected products: ------------------------- All versions of I Love It theme for WordPress. The theme contains vulnerable versions of Audio Player and GDD FLVPlayer. ------------------------- Affected vendors: ------------------------- CosmoThemes http://cosmothemes.com ---------- Details: ---------- Cross-Site Scripting (WASC-08): http://site/wp-content/themes/iloveit/lib/php/assets/player.swf?playerID=%22))}catch(e){alert(document.cookie)}// Content Spoofing (WASC-12): http://site/wp-content/themes/iloveit/flv/gddflvplayer.swf There are 10 vulnerabilities in GDD FLVPlayer: 8 CS and 2 XSS. Which I announced recently (http://websecurity.com.ua/6642/) and informed developers of GDD FLVPlayer. These vulnerabilities will be disclosed later. Full path disclosure (WASC-13): http://site/wp-content/themes/iloveit/ There are FPD vulnerabilities in index.php and other php-files (in folder and subfolders). ------------ Timeline: ------------ 2013.05.24 - informed CosmoThemes about vulnerabilities in their I Love It New theme. 2013.07.11 - disclosed at my site (http://websecurity.com.ua/6646/). 2013.07.12 - informed developers about vulnerabilities in their I Love It theme. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua