Stored XSS on Facebook

tl;dr; Stored XSSes in Facebook wall by embedding an external video with Open Graph. When a user clicks to play the video, the XSS executes on facebook.com Introduction I reported multiple stored XSS on Facebook wall in April 2017. These stored XSS vulnerabilities were also present in WordPress so I waited for WordPress to patch it before… Read More

FlashME! – WordPress vulnerability disclosure [CVE-2016-9263]

Last week, I disclosed the existence of an unpatched Flash vulnerability on WordPress (https://opnsec.com/2017/10/cve-2016-9263-unpatched-xsf-vulnerability-in-wordpress/). Today, I disclose technical details about this vulnerability. However, contrary to what I announced before, I won’t provide a POC nor enough technical details to allow attackers to exploit it. Responsible disclosure of unpatched vulnerabilities is never easy, and I’m trying… Read More

[CVE-2016-9263] XSF vulnerability in WordPress [UPDATED]

Please patch this issue on your WordPress websites immediately and ask WordPress to release a patched version before I publicly release technical details about this on Oct 19th 2017 What is the vulnerability ? There is an unpatched vulnerability in latest and older WordPress releases. The vulnerability is a cross-domain Flash injection (XSF), which impact… Read More

OpnSec

Open mind Security and Crypto!

Uncategorized

Stored XSS on Facebook

FlashME! – WordPress vulnerability disclosure [CVE-2016-9263]

[CVE-2016-9263] XSF vulnerability in WordPress [UPDATED]