CVE-2022-50949

The WordPress plugin Videos sync PDF version 1.7.4 contains a stored cross-site scripting (XSS) vulnerability. The plugin fails to properly sanitize user-supplied input in the nom, pdf, mp4, webm, and ogg parameters within its options panel, allowing arbitrary HTML and JavaScript to be injected. Attackers can insert payloads such as " autofocus onfocus=alert(/XSS/)> that become permanently stored [1] [2].

Exploitation

An authenticated attacker with access to the plugin settings page (at /wp-admin/admin.php?page=aje_videosyncropdf_videos) can inject a malicious payload into any of the vulnerable fields. The stored script executes automatically when an administrator subsequently views or edits the video settings, due to the injected onfocus event handler. No additional user interaction is required beyond loading the affected admin page [1] [2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the WordPress admin panel. This can be leveraged to perform administrative actions on behalf of the victim, steal session tokens or cookies, or deface the site. The vulnerability is classified as medium severity with a CVSS v3 score of 6.4 [2].

Mitigation

As of the advisory date, version 1.7.4 is the affected release. No patched version has been confirmed in the references. Users are advised to remove or disable the plugin until an update is available, or to sanitize input fields via a Web Application Firewall (WAF) rule as a temporary workaround.