Support » Plugin: WordPress Gallery Plugin - NextGEN Gallery » XSS via plupload -> Moxie.swf

  • Hi,

    We have been notified via our bug bounty program ( && ) about potential open-redirect in MoxiePlayer. I was able to replicate the issue on Mac with latest Firefox and Flash Player (tested on v4.7.5).

    Moxie is part of nextgen-gallery via plupload plugin. Path to file:


    Attack vector looks like


Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Imagely


    @krala – Thanks for the report, we would appreciate these details as a Bug Report here:

    I’ll advise our developers immediately.

    – Cais.

    Cool, thank you. I was not able to fing bug reporting url to be honest.

    Plugin Author Imagely


    @krala – We’re working towards the most appropriate solution. We do recognize it is possible to exploit this particular vector although we are also seeing the underlying requirements to be able to exploit this would also open other attack vectors not related to NextGEN Gallery specifically.


    – Cais.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘XSS via plupload -> Moxie.swf’ is closed to new replies.