CVE-2022-44590: Stored Cross-Site Scripting (XSS) Vulnerability Found in James Lao's Simple Video Embedder Plugin for WordPress

Hello fellow security enthusiasts! Today, we will take a close look at the recently discovered vulnerability called CVE-2022-44590, known as Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability was found in the Simple Video Embedder plugin, version 2.2 or lower, developed by James Lao for WordPress. In this post, we will not only discuss this vulnerability in detail, but we will also provide the code snippets and links to original references. So, let's get started!

Overview of Simple Video Embedder Plugin

The Simple Video Embedder plugin by James Lao is widely used in the WordPress community for easily embedding videos from popular platforms like YouTube and Vimeo on WordPress websites. However, its simplicity and convenience have some downsides as it contains a Stored XSS vulnerability in versions 2.2 or lower which can allow attackers to inject malicious scripts onto the targeted site. You can access the plugin's page on WordPress.org here: Simple Video Embedder.

CVE-2022-44590 Exploit Details

The Stored XSS vulnerability can be exploited by a user with the contributor role or higher permissions. The attacker can inject malicious JavaScript code into the video embed code by either submitting a new post or editing an existing one with the Simple Video Embedder shortcode. The attacker can craft a malicious payload like this:

[jl_video src="https://www.youtube.com/watch?v=dQw4w9WgXcQ"; onload=alert(document.cookie)] // Here, the 'onload' attribute has malicious code inserted to pop up an alert with the site's cookies

When users visit the website, the malicious JavaScript code is executed in their browser context

This vulnerability is dangerous as it can compromise the site's user data, execute JavaScript in the context of an administrator account, and even allow the attacker to take control of the affected WordPress site.

Original References and Further Reading

- Simple Video Embedder Plugin on WordPress.org
- CVE-2022-44590 on NVD (National Vulnerability Database)
- MITRE CVE Reference for CVE-2022-44590

Mitigation and Prevention

To address this vulnerability, it is recommended to update the Simple Video Embedder plugin to the latest version if it is available. Alternatively, you can consider using a different, more secure plugin for video embedding purposes. Always ensure that your WordPress installation and its plugins are up-to-date, and follow best security practices to keep your website safe.

In conclusion, CVE-2022-44590 is a critical Stored XSS vulnerability found in the Simple Video Embedder plugin for WordPress. It is vital for site administrators to address this issue immediately to prevent the exploitation of their websites by malicious actors. Stay safe and happy patching!

Timeline

Published on: 11/09/2022 22:15:00 UTC
Last modified on: 11/10/2022 19:23:00 UTC