Executive Summary

The Video Share VOD – Turnkey Video Site Builder Script plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 2.7.11. This vulnerability arises due to insufficient input sanitization and output escaping in the plugin settings.

Authenticated attackers with editor-level permissions or higher can inject arbitrary web scripts into pages. These scripts execute whenever any user accesses the injected page. This vulnerability specifically affects multi-site WordPress installations or installations where the unfiltered_html capability has been disabled.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers with editor-level access or above to inject malicious scripts into the plugin's pages. When other users visit these pages, the injected scripts execute in their browsers.

The impact includes potential theft of user credentials, session hijacking, defacement, or other malicious actions performed via the injected scripts. Since the vulnerability is a stored XSS, the malicious code persists and affects all users who access the compromised pages.

The vulnerability has a CVSS v3.1 base score of 4.4, indicating a medium severity with network attack vector, high attack complexity, requiring high privileges but no user interaction, and impacts confidentiality and integrity.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability affects the Video Share VOD – Turnkey Video Site Builder Script plugin for WordPress versions up to and including 2.7.11, specifically in multi-site installations or where unfiltered_html is disabled. Detection involves verifying the plugin version and checking for signs of stored cross-site scripting (XSS) in plugin settings.

To detect the vulnerability on your system, you can:

• Check the installed version of the Video Share VOD plugin to see if it is version 2.7.11 or earlier.
• Inspect plugin settings pages for suspicious or unexpected script tags or HTML code that could indicate stored XSS payloads.
• Use WordPress CLI commands to list plugin versions, for example: `wp plugin list` to verify the installed version.
• Search the database for suspicious script injections in the plugin settings tables, for example using SQL queries to look for `<script>` tags in relevant options or meta tables.

Since the vulnerability requires authenticated users with editor-level permissions or higher, monitoring user activity logs for unusual changes in plugin settings or unexpected script insertions can also help detect exploitation.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps for this vulnerability include:

• Update the Video Share VOD plugin to a version later than 2.7.11 where the vulnerability is fixed by proper input sanitization and output escaping.
• If an immediate update is not possible, restrict editor-level and higher permissions to trusted users only, as the vulnerability requires authenticated users with such permissions.
• Enable unfiltered_html capability only for trusted users or consider enabling it if it is disabled, since the vulnerability affects installations where unfiltered_html is disabled.
• Review and sanitize existing plugin settings to remove any injected malicious scripts.
• Apply the security patch described in changeset 3463296 which includes usage of `esc_attr()`, `esc_html()`, and type casting to prevent XSS.

Useful 0 Not Useful 0