As stated on this announcement on Full Disclosure every major old versions of Wordpress (from 2.5 to 3.3.1) was bundling a SWF applet named swfupload.swf which is vulnerable to XSS. The original hole was found by Neal Poole. Together with Ryan we investigated a little on this issue and after perfoming a quick dork on google he noticed that a few Wordpress plugins were bundling the very same vulnerable applet. To spot all the affected plugins I wrote a quick crawl and ran it against the public...
