wp-plugin : video-comments-webcam-recorder – A3-Cross-Site Scripting (XSS)


Plugin Details


Plugin Name : video-comments-webcam-recorder


Effected Version : 1.55 (and most probably lower version's if any)

Vulnerability : A3-Cross-Site Scripting (XSS)
Identified by : Anant Shrivastava



Technical Details


Minimum Level of Access Required : Unauthenticated


PoC - (Proof of Concept) :



//   Vulnerable Parameter : message   Trac Log : https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=839986%40video-comments-webcam-recorder&old=686438%40video-comments-webcam-recorder Note : This plugin was updated in place which means those who downloaded this version from the time of release till the fix was applied are all vulnerable however after fix date any download is patched.


Disclosure Timeline


Vendor Contacted : 2014-01-15

Plugin Status : Updated on 2014-01-16
Public Disclosure : June 12, 2014
CVE Number : CVE-2014-4567

Plugin Description :
The Video Comments Webcam Recorder allows WordPress users to record video comments as responses to posts or to other comments. If the user is not logged into WordPress he cannot access this feature.
Supports playback with JwPlayer plugin.

Special requirements: This plugin has requirements beyond regular WordPress hosting specifications: a RTMP host is needed for persistent connections to manage live interactions and streaming (Wowza recommended). More details about this, including solutions are provided on the Installation section pages.

Leave a Reply

Your email address will not be published. Required fields are marked *