Video on Admin Dashboard is vulnerable to stored XSS. When a user has admin capabilities, malicious code can be submitted through the plugin’s options.
Fixed in version 1.1.4.
Proof of concept
Proof of concept will be posted on january 19th, to give users time to update the plugin.
Plugin name: Video on Admin Dashboard
Plugin URL: https://wordpress.org/plugins/videos-on-admin-dashboard/
Plugin author: Nahiro
- Friday 10th of january 2020: Vulnerability detected by Jeroen Mulder. Plugin’s author notified
- Saturday 11th of january 2020: Vulnerability fixed by the author in version 1.1.4
- Sunday 12th of january 2020: Vulnerability made public on wpvulndb.com.