Multiple vulnerabilities were found in the themes designed to be used for Wordpress with jPlayer. There are thousands of themes for WordPress using jPlayer and websites which places Jplayer.swf in other folders besides plugins and themes. The vulnerabilities found to be exposing the themes and the websites to cross site scripting, content spoofing and full disclosure vulnerabilities.
The simple google search puts the number of affected themes to 313,000 and for Jplayer the number is 32,000. All the themes of all the versions of the following products are affected:-
Studiozen, Photocrati, Music, Imperial Fairytale and Feather12 themes.
These findings were posted in Seclist . The researcher named MustLive also said,
Vulnerabilities are in jPlayer versions before 2.2.23. Version 2.2.23 and the last released version 2.3.0 are not vulnerable to mentioned XSS, except CS via JS and XSS via JS callbacks.
The affected products, Studiozen, Photocrati, Music, Imperial Fairytale and Feather12 themes can be exploited using XSS vulnerability.
Any audio or video content can be inserted from external sources using cross site scripting or script. This requires HTML Injection vulnerability at the site.So if the website owner has not taken care in protecting the website against the HTML injection vulnerability, then the website may be exploited using content spoofing.
The researcher on WP themes said,
All mentioned themes have FPD vulnerabilities in php-files (in index.php and others), which is typically for WP themes.