wp-plugin : pay-per-media-player – A3-Cross-Site Scripting (XSS)


Plugin Details


Plugin Name : pay-per-media-player


Effected Version : 1.24 (and most probably lower version's if any)

Vulnerability : A3-Cross-Site Scripting (XSS)
Identified by : Prajal Kulkarni



Technical Details


Minimum Level of Access Required : Unauthenticated


PoC - (Proof of Concept) :


Disclosure Timeline


Vendor Contacted : 2014-01-22

Plugin Status : Closed on 2014-01-11
Public Disclosure : April 25, 2014
CVE Number : CVE-2014-4543

Plugin Description :
a Player
Free Features

    Supports MP4 video format
    Supports XML based Media Playlist
    Supports Unicode
    Social Links Facebook / Twitter
    Works in IE, Safari, Firefox, Chrome, Opera, mobile devices including Android/iOS
    Player have shortcode for post/page [payper id=ID] i.e. [payper id=1]

Paid Features

    Supports audio, video formats
    Pay per view or buy now option
    Color / Size Customization
    Social Link Customization
    Multiple player on same page / post
    Supports Red5 / Wowza / Amazon Cloud Front / S3 HTTP Streaming / Live / VoD
    Facebook page customization with player
    Best support on email

Leave a Reply

Your email address will not be published. Required fields are marked *