WordPress Plugin Vulnerabilities

WordPress Video Player <= 1.5.4 - Reflected Cross-Site Scripting (XSS)

Description

The 'Tags' section of 'WordPress Video Player' under WordPress Administration contains a two fields that are vulnerable to a reflected XSS attack. This is due to the fact that the value passed through to these fields are not encoded prior to output. There is also no nonce on this page, which means the XSS can be triggered via CSRF.

Affects Plugins

Plugin icon
player
Fixed in 1.5.5

References

URL
https://g0blin.co.uk/g0blin-00027/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Submitter
James Hooker
Submitter website
https://research.g0blin.co.uk
Submitter twitter
g0blinResearch
Verified
No
WPVDB ID
f1745029-3889-4698-84b9-bb4f3944288f

Timeline

Publicly Published
2015-02-02 (about 11 years ago)
Added
2015-02-02 (about 11 years ago)
Last Updated
2019-10-21 (about 6 years ago)

Other

Published
Title
Published
2020-01-13
Title
Computer Repair Shop < 2.0 - Authenticated Stored XSS
Published
2014-05-28
Title
Oleggo Livestream <= 0.2.6 - XSS
Published
2026-01-28
Title
Oyster - Photography WordPress <= 4.4.3 - Unauthenticated Stored Cross-Site Scripting
Published
2025-12-09
Title
Advance WP Query Search Filter <= 1.0.10 - Reflected XSS via counter
Published
2024-10-21
Title
Js paper <= 2.5.7 - Reflected Cross-Site Scripting