CVSS Summary
| Score | 4 Medium |
|---|---|
| Vector | Network |
| Complexity | Low |
| Authentication | Single |
| Confidentiality | None |
| Integrity | Partial |
| Availability | None |
Advisory:
Cross-site scripting vulnerability in ZooEffect Plugin for Video player, Photo Gallery Slideshow jQuery and audio / music / podcast – HTML, version 1.08
Vulnerability
Last revised:
This plugin emits the referer, unsanitised, into javascript in its option page at line line 283 of wp-1pluginjquery.php.
If an attacker can trick an administrator into visiting a page of the attacker’s choice, the attacker could execute javascript in the context of the victim’s administrator session, allowing them to make requests as the administrator, steal nonce values or hijack the administrator account.
This attack may not be possible in some browsers which escape HTML in URLs.
Current state: Fixed
Proof of concept
Advisory timeline
Mitigation/further actions
Version 1.09 has been released which fixes this vulnerability. Users running older versions should upgrade immediately.