wp-plugin : wp-media-player – A3-Cross-Site Scripting (XSS)


Plugin Details


Plugin Name : wp-media-player


Effected Version : 0.8 (and most probably lower version's if any)

Vulnerability : A3-Cross-Site Scripting (XSS)
Identified by : Prajal Kulkarni



Technical Details


Minimum Level of Access Required : Unauthenticated


PoC - (Proof of Concept) :


Disclosure Timeline


Vendor Contacted : 2014-01-15

Plugin Status : Closed on 2014-01-11
Public Disclosure : April 25, 2014
CVE Number : CVE-2014-4589

Plugin Description :
This plugin allows addition of Silverlight-based media players to WordPress blog posts and pages. The players can be used to play Windows Media Video (WMV) encoded video content.

The plugin has the following features:

* 6 player styles
* Watermark image
* Tracking and reporting on how many times the videos have been watched
* Default player configuration settings, such as size, thumbnail, auto load and auto play.
* Per-instance player configuration settings that can be used to customize each individual player within or across blog posts.
* Unlimited number of players within the same blog post or page.
* UI for uploading of video files and for inserting media players into blog posts and pages

Follow the instructions at [WP Media Player - Video Encoding](http://ruslany.net/wp-media-player/video-encoding/) to encode the video content for the player.

The version 0.8 contains several bug fixes and a new feature for adding watermark image in the player. Refer to the [changelog](http://ruslany.net/wp-media-player/changelog/) for more details.

For more information, demos and usage instructions refer to [the plugin home page](http://ruslany.net/wp-media-player/).

Leave a Reply

Your email address will not be published. Required fields are marked *