Video on Admin Dashboard < 1.1.4 - Authenticated Stored XSS



Description
Video on Admin Dashboard is vulnerable to stored XSS. When a user has admin capabilities, malicious code can be submitted through the plugin's options. 
Proof of Concept
A user can insert a simple script in the Widget Title text field, e.g. "><script>alert('XSS');</script>. Every specified user role by the plugin will now be targeted by the script. 

Video example: https://youtu.be/pteSfFcrEOQ

Affects Plugin

fixed in version 1.1.4

References

URL http://jrjmulder.nl/plugins/video-on-admin-dashboard/

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Jeroen Mulder
Submitter Jeroen Mulder
Submitter Website https://jrjmulder.nl
Views 8938
Verified No
WPVDB ID 10019

Timeline

Publicly Published 2020-01-11 (3 months ago)
Added 2020-01-11 (3 months ago)
Last Updated 2020-01-12 (3 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin