Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP < 6.1.10 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2024-12504 | Plugin Vulnerabilities

Description

The Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'videowhisper_hls' shortcode in all versions up to, and including, 6.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

videowhisper-live-streaming-integration

Fixed in 6.1.10

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/74b27798-3c6f-4c4e-80f8-7aa40f704fb7

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

yudha

Verified

No

WPVDB ID

6dccf829-7664-4c5a-9d79-e4b17f52b563

Timeline

Publicly Published

2025-01-22 (about 1 year ago)

Added

2025-01-22 (about 1 year ago)

Last Updated

2025-01-23 (about 1 year ago)

Other

Published

Title

Published

2025-04-09

Title

Aria Font <= 1.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2022-12-27

Title

Easy Social Feed – Social Photos Gallery – Post Feed – Like Box < 6.4.0 - Contributor+ Stored XSS

Published

2026-01-10

Title

TheGem Theme Elements (for WPBakery) < 5.11.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-01-14

Title

WP Post Corrector <= 1.0.2 - Reflected Cross-Site Scripting

Published

2014-08-01

Title

Count Per Day 3.1.1 - userperspan.php Multiple Parameter XSS