WordPress Plugin Vulnerabilities

Video Posts Webcam Recorder < 3.2.4 - Authenticated Reflected XSS

Description

The plugin has an authenticated reflected cross site scripting (XSS) vulnerability in one of the administrative functions for handling deletion of videos.

Proof of Concept

.../wp-content/plugins/video-posts-webcam-recorder/posts/videowhisper/recorded_videos.php?delete=%3Cscript%3Ealert(1)%3C/script%3E

Affects Plugins

Plugin icon
video-posts-webcam-recorder
Fixed in 3.2.4

References

CVE
CVE-2021-24512

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
iohex
Submitter
iohex
Submitter twitter
iohehe
Verified
No
WPVDB ID
458a576e-a7ed-4758-a80c-cd08c370aaf4

Timeline

Publicly Published
2021-07-14 (about 2 years ago)
Added
2021-07-14 (about 2 years ago)
Last Updated
2021-08-10 (about 2 years ago)

Other

Published
Title
Published
2024-05-03
Title
Edge < 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Author Display Name
Published
2024-01-18
Title
Booking for Appointments and Events Calendar – Amelia < 1.0.94 - Contributor+ Stored Cross-Site Scripting via shortcode
Published
2014-08-01
Title
A Forms 1.4.0 - a-forms.php a_form_shortcode Function Multiple Parameter XSS
Published
2017-07-04
Title
Responsive Lightbox by dFactory <= 1.7.1 - Authenticated Cross-Site Scripting (XSS)
Published
2023-05-12
Title
WP Register Profile With Shortcode < 3.5.9 - Admin+ Stored XSS