Video on Admin Dashboard < 1.1.4 – Authenticated Stored XSS | Plugin Vulnerabilities

Description

Video on Admin Dashboard is vulnerable to stored XSS. When a user has admin capabilities, malicious code can be submitted through the plugin's options.

Proof of Concept

A user can insert a simple script in the Widget Title text field, e.g. "><script>alert('XSS');</script>. Every specified user role by the plugin will now be targeted by the script. 

Video example: https://youtu.be/pteSfFcrEOQ

Affects Plugins

videos-on-admin-dashboard

Fixed in 1.1.4

References

URL

http://jrjmulder.nl/plugins/video-on-admin-dashboard/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Original Researcher

Jeroen Mulder

Submitter

Jeroen Mulder

Submitter website

https://jrjmulder.nl

Verified

No

WPVDB ID

adfc4890-804a-4842-be6a-c0519f495cc4

Timeline

Publicly Published

2020-01-11 (about 6 years ago)

Added

2020-01-11 (about 6 years ago)

Last Updated

2020-01-12 (about 6 years ago)

Other

Published

Title

Published

2026-03-20

Title

Jaroti < 1.4.8 - Reflected Cross-Site Scripting

Published

2024-06-18

Title

EmbedSocial – Social Media Feeds, Reviews and Galleries < 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-08-30

Title

Hello Followers <= 2.5 - Reflected Cross-Site Scripting

Published

2025-09-30

Title

Rock Convert <= 3.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2020-03-27

Title

CM Pop-Up banners < 1.4.11 - Authenticated Stored XSS