WordPress JW Player 2.1.2 Cross Site Request Forgery

2014-06-10T00:00:00
ID PACKETSTORM:127025
Type packetstorm
Reporter Tom Adams
Modified 2014-06-10T00:00:00

Description

                                        
                                            `Details  
================  
Software: JW Player for Flash & HTML5 Video  
Version: 2.1.2  
Homepage: http://wordpress.org/plugins/jw-player-plugin-for-wordpress/  
Advisory ID: dxw-1970-1201  
CVE: Awaiting assignment  
CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:N/A:P)  
  
Description  
================  
CSRF in JW Player for Flash & HTML5 Video 2.1.2 permits deletion of players  
  
Vulnerability  
================  
An attacker can cause an admin user to remove players if they can convince them to visit an URL of their choice.  
  
Proof of concept  
================  
Log in as admin, create a new player, visit this URL (changing localhost, and changing player_id to the ID of the player you just created):  
http://localhost/wp-admin/admin.php?page=jwp6_menu&player_id=1&action=delete  
  
Mitigations  
================  
Disable the plugin until a fix is available.  
  
Disclosure policy  
================  
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/  
  
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.  
  
This vulnerability will be published if we do not receive a response to this report with 14 days.  
  
Timeline  
================  
  
2014-04-08: Discovered  
2014-04-10: Reported  
2014-06-10: Report not acknowledged, no fix announced. Published.  
  
<<<<<<< HEAD  
  
Discovered by dxw:  
================  
Tom Adams  
=======  
  
Discovered by dxw:  
================  
Tom Adams  
>>>>>>> 65c687d5cb3c4aa66c28a30a4f2aaf33169dc464  
Please visit security.dxw.com for more information.  
  
  
  
  
`