wp-plugin : videowhisper-video-presentation | Code Vigilant : to err is human.. To fix is Humanity

Wp Plugin Videowhisper Video Presentation

Plugin Details

Plugin Name: wp-plugin : videowhisper-video-presentation

Effected Version : 3.25 (and most probably lower version's if any)

Vulnerability : Cross-Site Scripting (XSS)

Minimum Level of Access Required : Unauthenticated

CVE Number : CVE-2014-4570

Identified by : Anantshri

WPScan Reference URL

Disclosure Timeline

January 15, 2014: Vendor Contacted
January 16, 2014 : Plugin Updated
June 12, 2014 : Public Disclosure

Technical Details

http://localhost/wp-content/plugins/videowhisper-video-presentation/vp/c_login.php?room_name=room_name’>

// & http://localhost/wp-content/plugins/videowhisper-video-presentation/vp/index.php?room=”/>

// & Vulnerable Parameter : room, room_name Trac Log : https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=839980%40videowhisper-video-presentation&old=600781%40videowhisper-video-presentation&sfp_email=&sfph_mail=#file4