WordPress Plugin Vulnerabilities

Videos sync PDF <= 1.7.4 - Stored Cross-Site Scripting via CSRF

Description

The plugin does not have CSRF check in place when editing a video, and does not escape some of its fields, which could allow attackers to make a logged in admin change them and lead to Stored Cross-Site Scripting issues

Proof of Concept

Affects Plugins

Plugin icon
video-synchro-pdf
No known fix

References

URL
https://packetstormsecurity.com/files/#166758/

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
UnD3sc0n0c1d0
Verified
Yes
WPVDB ID
6eaf5123-8f55-4754-859b-8042a16e9fa0

Timeline

Publicly Published
2022-04-19 (about 4 years ago)
Added
2022-04-19 (about 4 years ago)
Last Updated
2022-04-20 (about 4 years ago)

Other

Published
Title
Published
2017-08-08
Title
Loginizer <= 1.3.5 - Cross-Site Request Forgery (CSRF)
Published
2023-02-08
Title
ColorWay <= 4.2.3 - Cross-Site Request Forgery
Published
2023-01-04
Title
FL3R FeelBox <= 8.1 - Moods Reset via CSRF
Published
2024-12-12
Title
jCarousel <= 1.0 - Cross-Site Request Forgery to Cross-Site Scripting
Published
2025-01-06
Title
WP Customer Area < 8.2.5 - Bulk Delete via CSRF