WordPress Plugin Vulnerabilities
Hana Flv Player <= 3.1.3 - Authenticated Stored Cross-Site Scripting (XSS)
Description
The plugin was vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability within the "Default Skin" field.
Proof of Concept
Step1: Install and activate the plugin. Step2: Go to the plugin setting. Step3: Enter the following payload in the field "Default Skin" xss"></td></tr></table><script>alert(1)</script><input type='text' name="hflv_skin" value="xss Step4: Now the script is stored and whenever the user goes to the plugin the script will be executed.
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Kishore Hariram
Submitter
Kishore Hariram
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-05-05 (about 3 years ago)
Added
2021-05-06 (about 3 years ago)
Last Updated
2021-05-07 (about 3 years ago)