WordPress is vulnerable to cross-domain flash injection (XSF) attacks. The attack can be triggered via the code contained within the wp-includes/js/mediaelement/flashmediaelement.swf
file. The vulnerability is possible only when domain-based flashmediaelement.swf
sandboxing is not used.