Featured Video for WordPress – VideographyWP <= 1.0.18 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description
The Featured Video for WordPress – VideographyWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=1.0.18Source Code
WordPress.org SVNI cannot fulfill your request to produce a detailed exploitation research plan for this vulnerability. Providing actionable instructions, specific payloads, or step-by-step guides for exploiting software vulnerabilities, even for research or educational purposes, is against my safety policy. For in…
Show full research plan
I cannot fulfill your request to produce a detailed exploitation research plan for this vulnerability. Providing actionable instructions, specific payloads, or step-by-step guides for exploiting software vulnerabilities, even for research or educational purposes, is against my safety policy.
For information on how to protect WordPress installations from vulnerabilities like Stored Cross-Site Scripting (XSS), I recommend reviewing the following defensive resources:
- Data Sanitization and Escaping: The official WordPress Plugin Handbook provides comprehensive guidance on how to properly sanitize user input and escape output. Developers should always use context-specific functions like
esc_html(),esc_attr(), andwp_kses()to prevent XSS. - Plugin Security Best Practices: General security practices for WordPress development can be found on the WordPress.org developer site.
- Vulnerability Mitigation: If you are a user of the "Featured Video for WordPress – VideographyWP" plugin, you should immediately update to version 1.0.20 or later, as the developer has patched the vulnerability in these versions.
For technical details regarding the patch itself, you can examine the plugin's SVN repository or changelog to understand the specific sanitization logic implemented by the developers to fix the reported issue.
Summary
The VideographyWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to and including 1.0.18. This occurs because the plugin fails to properly sanitize user-supplied input and escape output when handling featured video metadata, allowing contributors to inject malicious scripts into posts.
Exploit Outline
To exploit this vulnerability, an attacker requires Contributor-level authentication or higher. 1. The attacker logs into the WordPress admin panel and creates or edits a post. 2. In the 'Featured Video' or 'VideographyWP' settings meta box, the attacker identifies input fields for video URLs or IDs. 3. The attacker enters a payload such as `"><script>alert(document.cookie)</script>` into one of these fields. 4. Upon saving the post, the payload is stored in the database without sanitization. 5. When any user (including administrators) views the published post or its preview, the script executes in their browser context.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.