Video on Admin Dashboard is vulnerable to stored XSS. When a user has admin capabilities, malicious code can be submitted through the plugin’s options.
Fixed in version 1.1.4.
Proof of concept
A user can insert a simple script in the Widget Title text field, e.g. “><script>alert(‘XSS’);</script>. Every specified user role by the plugin will now be targeted by the script.
Video example: https://youtu.be/pteSfFcrEOQ
Plugin name: Video on Admin Dashboard
Plugin URL: https://wordpress.org/plugins/videos-on-admin-dashboard/
Plugin author: Nahiro
- Friday 10th of january 2020: Vulnerability detected by Jeroen Mulder. Plugin’s author notified
- Saturday 11th of january 2020: Vulnerability fixed by the author in version 1.1.4
- Sunday 12th of january 2020: Vulnerability made public on wpvulndb.com.