This plugin is prone to multiple vulnerabilities:
- Path Disclosure via thumb.php “src” parameter.
- Cross site scripting in thumb.php “src” parameter.
- Direct request path disclosure in rokbox.php.
- Arbitrary file upload via thumb.php “src” parameter.
- Direct request error log information disclosure in error_log.
- Cross site scripting in jwplayer/jwplayer.swf “abouttext” parameter.
Because of these vulnerabilities, attackers can obtain sensitive information, perform certain administrative actions, gain unauthorized access, upload arbitrary files or bypass certain security restrictions.
Solution
Update plugin.