WordPress Videos Sync PDF 1.7.4 Cross Site Scripting

CVE Category Price Severity
CVE-2021-24537 CWE-79 Not specified High
Author Risk Exploitation Type Date
Exploit Alert High Remote 2022-04-24
CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at:

Below is a copy:

WordPress Videos Sync PDF 1.7.4 Cross Site Scripting
# Exploit Title: WordPress Plugin Videos sync PDF 1.7.4 - Stored Cross Site Scripting (XSS)
# Google Dork: inurl:/wp-content/plugins/video-synchro-pdf/
# Date: 2022-04-13
# Exploit Author: UnD3sc0n0c1d0
# Vendor Homepage:
# Software Link:
# Category: Web Application
# Version: 1.7.4
# Tested on: CentOS / WordPress 5.9.3
# CVE : N/A

# 1. Technical Description:
The plugin does not properly sanitize the nom, pdf, mp4, webm and ogg parameters, allowing 
potentially dangerous characters to be inserted. This includes the reported payload, which 
triggers a persistent Cross-Site Scripting (XSS).
# 2. Proof of Concept (PoC):
 a. Install and activate version 1.7.4 of the plugin.
 b. Go to the plugin options panel (http://[TARGET]/wp-admin/admin.php?page=aje_videosyncropdf_videos).
 c. Open the "Video example" or create a new one (whichever you prefer).
 d. Change or add in some of the displayed fields (Name, PDF file, MP4 video, WebM video or OGG video) 
the following payload:
" autofocus onfocus=alert(/XSS/)>.
 e. Save the changes. "Edit" button.
 f. JavaScript will be executed and a popup with the text "XSS" will be displayed.

Note: This change will be permanent until you modify the edited field.

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum