what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Video JS Cross Site Scripting

WordPress Video JS Cross Site Scripting
Posted May 14, 2013
Authored by MustLive

Various WordPress plugins that embed video-js.swf suffer from cross site scripting vulnerabilities. These include Video Embed and Thumbnail Generator, External "Video for Everybody", 1player, S3 Video and EasySqueezePage.

tags | exploit, vulnerability, xss
SHA-256 | 5353566b47099624d07091f78ba99de22b3590171921393a6150f67e5e76fda4

WordPress Video JS Cross Site Scripting

Change Mirror Download
Hello list!

These are Cross-Site Scripting vulnerabilities in multiple plugins for
WordPress with VideoJS. Earlier I've wrote about vulnerabilities in VideoJS
(http://seclists.org/fulldisclosure/2013/May/21). This is popular video and
audio player, which is used at hundreds thousands of web sites and in
multiple web applications. Google dork for VideoJS shows 446000 results and
for WP plugins with it shows 178000 (inurl:video-js.swf

In addition to plugin VideoJS - HTML5 Video Player for WordPress
(http://seclists.org/fulldisclosure/2013/May/35), about which I wrote
earlier, here are new plugins with this player.

Among them are Video Embed & Thumbnail Generator, External "Video for
Everybody", 1player, S3 Video and EasySqueezePage. But there are other
vulnerable plugins for WP with video-js.swf (which can be found with
above-mentioned Google dork). All developers of these plugins, the same as
developers of all other web applications with VideoJS, need to update it in
their software.

Affected products:

Video Embed & Thumbnail Generator 4.0.3 and previous versions.
External "Video for Everybody" 2.0 and previous versions.
1player 1.2 and previous versions.
S3 Video 0.97 and previous versions.
EasySqueezePage (all versions).

Vulnerable are web applications which are using VideoJS Flash Component
3.0.2 and previous versions. Version VideoJS Flash Component 3.0.2 is not
vulnerable to mentioned XSS hole, except XSS via JS callbacks (as it can be
read in repository on github). Also there are bypass methods which work in
the last version, but the developers haven't fixed them due to their low
impact. So update to last version of VideoJS.swf.

Affected vendors:

Plugins' pages at WordPress plugins catalog:

Video Embed & Thumbnail Generator
External "Video for Everybody"
S3 Video


Cross-Site Scripting (WASC-08):

Video Embed & Thumbnail Generator:


External "Video for Everybody":




S3 Video:





2013.02.07 - found XSS vulnerability.
2013.02.08 - informed developers of VideoJS about both vulnerabilities. They
thanked and promised to fix it.
2013.02.23 - reminded VideoJS developers and asked for date of releasing the
2013.03.09 - again reminded developers.
2013.03.26 - again reminded developers.
2013.04.08 - reminded developers on github and resent previous letter to
Zencoder's developers (since Brightcove, which acquired Zencoder, ignored
the hole for two months).
2013.04.08-30 - discussed with developers (on github and by e-mail). And
made my own fix to force developers to fix the hole.
2013.04.30 - developers fixed XSS hole in VideoJS Flash Component 3.0.2 in
source code on github.
2013.05.02 - developers compiled fixed version of swf (after my reminding)
and uploaded to both repositories.
2013.05.02 - tested version 3.0.2 and found that developers haven't fixed
the hole completely and informed them.

Best wishes & regards,
Administrator of Websecurity web site

Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By