Details ================ Software: JW Player for Flash & HTML5 Video Version: 2.1.2 Homepage: http://wordpress.org/plugins/jw-player-plugin-for-wordpress/ Advisory ID: dxw-1970-1201 CVE: Awaiting assignment CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:N/A:P) Description ================ CSRF in JW Player for Flash & HTML5 Video 2.1.2 permits deletion of players Vulnerability ================ An attacker can cause an admin user to remove players if they can convince them to visit an URL of their choice. Proof of concept ================ Log in as admin, create a new player, visit this URL (changing localhost, and changing player_id to the ID of the player you just created): http://localhost/wp-admin/admin.php?page=jwp6_menu&player_id=1&action=delete Mitigations ================ Disable the plugin until a fix is available. Disclosure policy ================ dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/ Please contact us on security () dxw com to acknowledge this report if you received it via a third party (for example, plugins () wordpress org) as they generally cannot communicate with us on your behalf. This vulnerability will be published if we do not receive a response to this report with 14 days. Timeline ================ 2014-04-08: Discovered 2014-04-10: Reported 2014-06-10: Report not acknowledged, no fix announced. Published. <<<<<<< HEAD Discovered by dxw: ================ Tom Adams ======= Discovered by dxw: ================ Tom Adams 65c687d5cb3c4aa66c28a30a4f2aaf33169dc464 Please visit security.dxw.com for more information.