WordPress Plugin Videos Sync PDF Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the WordPress Plugin Videos Sync PDF, version 1.7.4. This vulnerability allows authenticated attackers to inject malicious scripts by exploiting unsanitized parameters, including nom, pdf, mp4, webm, and ogg. Attackers can use the plugin options panel to insert payloads, such as event handlers, which are executed when administrators view or edit video settings.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected content.

Reproduction

To reproduce this vulnerability, install and activate WordPress Plugin Videos Sync PDF version 1.7.4. Navigate to the plugin options panel and either open an existing 'Video example' or create a new one. In the fields for Name, PDF file, MP4 video, WebM video, or OGG video, insert a payload such as an autofocus onfocus event handler. Save the changes and the injected JavaScript will execute, displaying a popup with the text 'XSS'. This change will persist until the edited field is modified.