logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

Hana Flv Player <= 3.1.3 - Authenticated Stored Cross-Site Scripting (XSS)

Description

The plugin was vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability within the "Default Skin" field.

Proof of Concept

Step1: Install and activate the plugin. 

Step2: Go to the plugin setting.

Step3: Enter the following payload in the field "Default Skin"

xss"></td></tr></table><script>alert(1)</script><input type='text' name="hflv_skin" value="xss

Step4: Now the script is stored and whenever the user goes to the plugin the script will be executed.

Affects Plugins

hana-flv-player

No known fix

References

CVE

CVE-2021-24302

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Original Researcher

Kishore Hariram

Submitter

Kishore Hariram

Submitter twitter

kishorehariram

Verified

Yes

WPVDB ID

372a66ca-1c3c-4429-86a5-81dbdaa9ec7d

Timeline

Publicly Published

2021-05-05 (about 4 months ago)

Added

2021-05-06 (about 4 months ago)

Last Updated

2021-05-07 (about 4 months ago)

Our Other Services

WPScan WordPress Security Plugin