CVE-2016-9263

CVE Database · CVE-2016-9263

CVE-2016-9263

· N/AModified

CVSS v3.1

N/A

EPSS

2.55%

Published

Oct 12, 2017

Modified

May 12, 2026

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

WordPress through 4.8.2, when domain-based flashmediaelement.swf sandboxing is not used, allows remote attackers to conduct cross-domain Flash injection (XSF) attacks by leveraging code contained within the wp-includes/js/mediaelement/flashmediaelement.swf file.

Weaknesses (CWE)

CWE-20

Affected Products (1)

wordpress · wordpressvulnerable

References (4)

http://www.securityfocus.com/bid/101294

Third Party AdvisoryVDB Entry

https://opnsec.com/2017/10/cve-2016-9263-unpatched-xsf-vulnerability-in-wordpress/

MitigationThird Party Advisory

http://www.securityfocus.com/bid/101294

Third Party AdvisoryVDB Entry

https://opnsec.com/2017/10/cve-2016-9263-unpatched-xsf-vulnerability-in-wordpress/

MitigationThird Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs