WP Video Lightbox WordPress Plugin Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the WP Video Lightbox WordPress plugin, affecting versions prior to 1.9.3. The issue arises because the plugin does not properly escape the attributes of its shortcodes. This flaw allows users with a minimum role of contributor to execute cross-site scripting attacks.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, a user with a contributor role can insert a shortcode for the WP Video Lightbox plugin without proper attribute escaping. The injected video ID can include JavaScript payloads, such as an 'onmouseover' event, which will be executed when the video link is hovered over. Once the shortcode is published, the JavaScript payload will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to update the WP Video Lightbox WordPress plugin to version 1.9.3 or later.