Search...

WordPress JW Player 2.1.2 Cross Site Request Forgery

2014-06-10T00:00:00

ID PACKETSTORM:127025
Type packetstorm
Reporter Tom Adams
Modified 2014-06-10T00:00:00

Description

                                        
                                            `Details  
================  
Software: JW Player for Flash & HTML5 Video  
Version: 2.1.2  
Homepage: http://wordpress.org/plugins/jw-player-plugin-for-wordpress/  
Advisory ID: dxw-1970-1201  
CVE: Awaiting assignment  
CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:N/A:P)  
  
Description  
================  
CSRF in JW Player for Flash & HTML5 Video 2.1.2 permits deletion of players  
  
Vulnerability  
================  
An attacker can cause an admin user to remove players if they can convince them to visit an URL of their choice.  
  
Proof of concept  
================  
Log in as admin, create a new player, visit this URL (changing localhost, and changing player_id to the ID of the player you just created):  
http://localhost/wp-admin/admin.php?page=jwp6_menu&player_id=1&action=delete  
  
Mitigations  
================  
Disable the plugin until a fix is available.  
  
Disclosure policy  
================  
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/  
  
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.  
  
This vulnerability will be published if we do not receive a response to this report with 14 days.  
  
Timeline  
================  
  
2014-04-08: Discovered  
2014-04-10: Reported  
2014-06-10: Report not acknowledged, no fix announced. Published.  
  
&lt;&lt;&lt;&lt;&lt;&lt;&lt; HEAD  
  
Discovered by dxw:  
================  
Tom Adams  
=======  
  
Discovered by dxw:  
================  
Tom Adams  
&gt;&gt;&gt;&gt;&gt;&gt;&gt; 65c687d5cb3c4aa66c28a30a4f2aaf33169dc464  
Please visit security.dxw.com for more information.  
  
  
  
  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:127025", "type": "packetstorm", "bulletinFamily": "exploit", "title": "WordPress JW Player 2.1.2 Cross Site Request Forgery", "description": "", "published": "2014-06-10T00:00:00", "modified": "2014-06-10T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/127025/WordPress-JW-Player-2.1.2-Cross-Site-Request-Forgery.html", "reporter": "Tom Adams", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:20:32", "viewCount": 12, "enchantments": {"score": {"value": -0.2, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.2}, "sourceHref": "https://packetstormsecurity.com/files/download/127025/dxw-1970-1201.txt", "sourceData": "`Details \n================ \nSoftware: JW Player for Flash & HTML5 Video \nVersion: 2.1.2 \nHomepage: http://wordpress.org/plugins/jw-player-plugin-for-wordpress/ \nAdvisory ID: dxw-1970-1201 \nCVE: Awaiting assignment \nCVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:N/A:P) \n \nDescription \n================ \nCSRF in JW Player for Flash & HTML5 Video 2.1.2 permits deletion of players \n \nVulnerability \n================ \nAn attacker can cause an admin user to remove players if they can convince them to visit an URL of their choice. \n \nProof of concept \n================ \nLog in as admin, create a new player, visit this URL (changing localhost, and changing player_id to the ID of the player you just created): \nhttp://localhost/wp-admin/admin.php?page=jwp6_menu&player_id=1&action=delete \n \nMitigations \n================ \nDisable the plugin until a fix is available. \n \nDisclosure policy \n================ \ndxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/ \n \nPlease contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf. \n \nThis vulnerability will be published if we do not receive a response to this report with 14 days. \n \nTimeline \n================ \n \n2014-04-08: Discovered \n2014-04-10: Reported \n2014-06-10: Report not acknowledged, no fix announced. Published. \n \n<<<<<<< HEAD \n \nDiscovered by dxw: \n================ \nTom Adams \n======= \n \nDiscovered by dxw: \n================ \nTom Adams \n>>>>>>> 65c687d5cb3c4aa66c28a30a4f2aaf33169dc464 \nPlease visit security.dxw.com for more information. \n \n \n \n \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647405732}}