It’s good that you quickly fixed XSS hole in your plugin after I informed you, but besides XSS, there is also HTML Injection hole (because WP-Cumulus functionality allows both these attacks). As I wrote about it later in my advisory about vulnerabilities in WP-Cumulus and in my article XSS vulnerabilities in 34 millions flash files (on English). So after your fix, the HTML Injection attacks are still possible.

> I feel it’s the port authors’ responsibility to keep their projects in sync with WP-Cumulus.

Yes, their ones. But don’t forget that you are the author of the most widespread vulnerable flash file in Internet (there are about 34 millions of tagcloud.swf), as it clearly seen from my above-mentioned article. So you also need to take some responsibility .

> There are so many that I can’t possibly inform all of them of changes and new features.

I understand it. And I took this mission on myself. Besides you, I already informed 3 authors of plugins with this swf-file (Joomulus, JVClouds3D and Blogumus) and would try to continue this work.

> WP-Cumulus now blocks javascript calls which makes it much more robust

Yes, it’s already XSS free (and during my researches I found sites which used new version of swf-file). But there still HTML Injection vulnerability in it.

As you said, there are many Flash files out there that call urls. It’s common practice for Flash developers to not store data inside movies but feed it to them through Flashvars, which can be overwritten. WP-Cumulus now blocks javascript calls which makes it much more robust, all I can do is hope other projects will get updated too.

There are really many flash files tagcloud.swf (which you developed for your plugin) in Internet. As I wrote in December in my article XSS vulnerabilities in 8 millions flash files about XSS holes in flash banners all over the Web, there are up 34 millions tagcloud.swf files which are potentially vulnerable to XSS attacks.

But there have been a number of ports and other projects that use the Flash movie.

Yes, there are other projects with you flash file.

These 34 millions flashes include not only your plugin WP-Cumulus for WordPress, but also other plugins for other engines. As I found in December, such XSS hole exists in Joomulus for Joomla (and I informed the author of Joomulus, but with no response from him). And there are many other projects with this swf file which can be vulnerable. So these projects and their authors must be found and informed about the risk of XSS hole in tagcloud.swf.

I discovered your plugin via MinMaps Unleashed and love its effects.

Is this only available on WordPress or can I use it for my (blogger) blog?

Thanks

Helen

I modified it and would like to use it on my web page (please go to http://www.bsten.se to see example) – what about copyright issues etc?

Is it possible to have an image in the background (I tried using the style sheet url code, but it didn’t work).

Also, is it possible to remove the frames from the tags/links when hovering?

Cheers from Sweden!!