WP Flash Player 1.3 - Multiple Cross-site Scripting
Advisory ID: RO-15-011
Severity: High
Vendor: WordPress
Product: WP Flash Player
Version: 1.3


Overview #

Multiple Cross-site Scripting (XSS) vulnerabilities exist in WP Flash Player WordPress Plugin version 1.3.


Vulnerability Details #

Affected Versions: 1.3 and earlier

Root Cause: Insufficient input validation in admin panel parameters.

Status: Not fixed by developer
Technical Details #

Vulnerable URL: /wp-admin/admin.php?page=hdflv

Vulnerable Parameters (POST):

    plfilter
    search

Attack Pattern:

0'"--></style></scRipt><scRipt>alert(0x000862)</scRipt>



Exploitation Requirements #

    Admin authentication required
    Victim must be logged in as admin

Impact #

Remote attackers can exploit these vulnerabilities to:

    Steal admin session cookies
    Perform administrative actions
    Compromise the WordPress installation



Solution #

The vulnerabilities have not been fixed by the developer. Consider using an alternative plugin.


References #

    Invicti Advisory NS-15-009

Timeline:

    [2015-03-17] - First Contact
    [2015-06-01] - Second Contact
    [2015-06-30] - Third Contact
    [2015-07-15] - Advisory Released

Credits: Omar Kurt