These are Content Spoofing and Cross-Site Scripting vulnerabilities in multiple web applications with GDD FLVPlayer. Earlier I wrote about vulnerabilities in GDD FLVPlayer (http://seclists.org/fulldisclosure/2013/Aug/247). This is video and audio player, which is used at thousands web sites and in multiple web applications.
Among them are the next themes for WordPress: I Love It (I wrote about it earlier http://seclists.org/fulldisclosure/2013/Jul/116), Megusta, Multipress, Lolzine, V1. Also this flash video and audio player is used as standalone web application in many custom themes and in different CMS (WordPress, Joomla) in non-themes folders.
Vulnerable are web applications which are using GDD FLVPlayer v3.635 and previous versions.
Vulnerable are all versions of the next web applications: I Love It, Megusta, Multipress, Lolzine, V1.
GDD FLVPlayer was developed by GeDeDe.
XSS (via Flash Injection) (WASC-08):
I Love It:
Full path disclosure (WASC-13):
All mentioned themes have FPD vulnerabilities in php-files (in index.php and others), which is typically for WP themes.
In the last theme the path can be v1, v1.0, v1.3.5 and other variants. And at some web sites Jplayer (about multiple vulnerabilities in which I wrote earlier) is used instead of GDD FLVPlayer.
These are examples of XSS and FPD vulnerabilities, examples of 8 СS vulnerabilities see in above-mentioned advisory.
I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/6731/).
Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua