WordPress Plugin Vulnerabilities

Hana Flv Player <= 3.1.3 - Authenticated Stored Cross-Site Scripting (XSS)

Description

The plugin was vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability within the "Default Skin" field.

Proof of Concept

Affects Plugins

Plugin icon
hana-flv-player
No known fix

References

CVE
CVE-2021-24302

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.8 (low)

Miscellaneous

Original Researcher
Kishore Hariram
Submitter
Kishore Hariram
Submitter twitter
kishorehariram
Verified
Yes
WPVDB ID
372a66ca-1c3c-4429-86a5-81dbdaa9ec7d

Timeline

Publicly Published
2021-05-05 (about 4 years ago)
Added
2021-05-06 (about 4 years ago)
Last Updated
2021-05-07 (about 4 years ago)

Other

Published
Title
Published
2024-10-15
Title
Encyclopedia / Glossary / Wiki < 1.7.61 - Reflected Cross-Site Scripting
Published
2023-11-29
Title
Responsive Lightbox < 2.4.6 - Authenticated (Author+) Stored Cross-Site Scripting via name
Published
2024-04-24
Title
Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) < 3.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Sina Fancy Text Widget
Published
2023-02-02
Title
Show-Hide / Collapse-Expand < 1.3.0 - Contributor+ Stored XSS via Shortcode
Published
2023-09-25
Title
User Avatar - Reloaded < 1.2.2 - Contributor+ Stored XSS