Video on Admin Dashboard < 1.1.4 | Authenticated Stored XSS

Vulnerability

Video on Admin Dashboard is vulnerable to stored XSS. When a user has admin capabilities, malicious code can be submitted through the plugin’s options. 

Fixed in version 1.1.4. 

Proof of concept

A user can insert a simple script in the Widget Title text field, e.g. “><script>alert(‘XSS’);</script>. Every specified user role by the plugin will now be targeted by the script.

Video example: https://youtu.be/pteSfFcrEOQ

Plugin details 

Plugin name: Video on Admin Dashboard
Plugin URL: https://wordpress.org/plugins/videos-on-admin-dashboard/
Plugin author: Nahiro

Timeline 

  • Friday 10th of january 2020: Vulnerability detected by Jeroen Mulder. Plugin’s author notified
  • Saturday 11th of january 2020: Vulnerability fixed by the author in version 1.1.4 
  • Sunday 12th of january 2020: Vulnerability made public on wpvulndb.com.

Jeroen Mulder

Webdeveloper based in the Netherlands