Video on Admin Dashboard < 1.1.4 | Authenticated Stored XSS

Vulnerability

Video on Admin Dashboard is vulnerable to stored XSS. When a user has admin capabilities, malicious code can be submitted through the plugin’s options. 

Fixed in version 1.1.4. 

Proof of concept

Proof of concept will be posted on january 19th, to give users time to update the plugin.

Plugin details 

Plugin name: Video on Admin Dashboard
Plugin URL: https://wordpress.org/plugins/videos-on-admin-dashboard/
Plugin author: Nahiro

Timeline 

  • Friday 10th of january 2020: Vulnerability detected by Jeroen Mulder. Plugin’s author notified
  • Saturday 11th of january 2020: Vulnerability fixed by the author in version 1.1.4 
  • Sunday 12th of january 2020: Vulnerability made public on wpvulndb.com.

Jeroen Mulder

Webdeveloper based in the Netherlands