FV Flowplayer Video Player <= 7.3.13.727 - Unauthenticated Stored XSS



Description
The vulnerable function is exposed to unauthenticated users over `wp_ajax_nopriv_fv_wp_flowplayer_email_signup` ajax hook. It saves anything that user provides in `email` POST parameter.
Proof of Concept
Send POST request to wp-admin/admin-ajax.php with body content:

"action=fv_wp_flowplayer_email_signup&list=1&email=<svg/onload=prompt(1)>@test.com"

The provided email input is then rendered on email export screen.

Affects Plugin

fixed in version 7.3.14.727

References

CVE 2019-14799
URL https://www.webarxsecurity.com/flowplayer-video-player-xss-vulnerability/
URL https://plugins.trac.wordpress.org/changeset/2087606/fv-wordpress-flowplayer

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher WebARX Security
Submitter WebARX Security
Submitter Website https://www.webarxsecurity.com
Submitter Twitter webarx_security
Views 2979
Verified No
WPVDB ID 9278

Timeline

Publicly Published 2019-05-20 (4 months ago)
Added 2019-05-20 (4 months ago)
Last Updated 2019-08-21 (about 1 month ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin