WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Hana Flv Player <= 3.1.3 - Authenticated Stored Cross-Site Scripting (XSS)

Description

The plugin was vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability within the "Default Skin" field.

Proof of Concept

Step1: Install and activate the plugin. 

Step2: Go to the plugin setting.

Step3: Enter the following payload in the field "Default Skin"

xss"></td></tr></table><script>alert(1)</script><input type='text' name="hflv_skin" value="xss

Step4: Now the script is stored and whenever the user goes to the plugin the script will be executed.

Affects Plugins

hana-flv-player
No known fix

References

CVE
CVE-2021-24302

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Kishore Hariram

Submitter

Kishore Hariram

Submitter twitter
kishorehariram
Verified

Yes

WPVDB ID
372a66ca-1c3c-4429-86a5-81dbdaa9ec7d

Timeline

Publicly Published

2021-05-05 (about 1 years ago)

Added

2021-05-06 (about 1 years ago)

Last Updated

2021-05-07 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin