WWBN AVideo Cross-Site Scripting Vulnerability in WordPress Login Integration

A cross-site scripting (XSS) vulnerability has been identified in WWBN AVideo versions 14.4 and the development master commit 8a8954ff. The issue arises in the WordPress login integration, specifically within the 'cancelUri' parameter of the login form. This vulnerability allows for the execution of arbitrary JavaScript by embedding malicious scripts into the 'cancelUri' parameter, which is then rendered without proper sanitization. To exploit this vulnerability, an attacker can craft a link that, when clicked by an administrator, executes the embedded JavaScript, potentially leading to the compromise of the administrator's account.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can execute malicious scripts in the context of the user's browser.

Reproduction

To reproduce this vulnerability, activate the 'LoginWordPress' plugin and fill in the 'Custom WP Site' field in the plugin settings. This will enable an alternative login method through a custom WordPress site, exposing the vulnerable login form. Once the form is accessible, log off from AVideo to ensure the session is inactive. Then, send a crafted HTTP request that includes a malicious 'cancelUri' parameter. When the administrator clicks the 'Cancel' button, the embedded JavaScript will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to update to the patched version released by the vendor.