tl;dr; Stored XSSes in Facebook wall by embedding an external video with Open Graph. When a user clicks to play the video, the XSS executes on facebook.com Introduction I reported multiple stored XSS on Facebook wall in April 2017. These stored XSS vulnerabilities were also present in WordPress so I waited for WordPress to patch it before… Read More


Last week, I disclosed the existence of an unpatched Flash vulnerability on WordPress (http://18.219.132.117/2017/10/cve-2016-9263-unpatched-xsf-vulnerability-in-wordpress/). Today, I disclose technical details about this vulnerability. However, contrary to what I announced before, I won’t provide a POC nor enough technical details to allow attackers to exploit it. Responsible disclosure of unpatched vulnerabilities is never easy, and I’m trying… Read More


Please patch this issue on your WordPress websites immediately and ask WordPress to release a patched version before I publicly release technical details about this on Oct 19th 2017 What is the vulnerability ? There is an unpatched vulnerability in latest and older WordPress releases. The vulnerability is a cross-domain Flash injection (XSF), which impact… Read More