WordPress External Videos Plugin <= 2.0.1 is vulnerable to Cross Site Scripting (XSS)

Vulnerability

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability exists in the External Videos plugin for WordPress, versions 2.0.1 and earlier [1]. The flaw resides in the plugin’s handling of user-supplied input that is stored and later rendered without proper sanitization, allowing an attacker with administrator-level access to inject malicious scripts [1].

Exploitation

An attacker must have authenticated access to the WordPress admin area, specifically a role with Administrator privileges or equivalent capability [1]. The attacker can inject arbitrary JavaScript into a plugin field (e.g., a video URL or metadata) that is subsequently stored in the database. When the stored value is displayed in the admin dashboard or front-end, the injected script executes in the browser of any user visiting the affected page [1]. No additional user interaction is required beyond the victim viewing the page.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim’s browser session. This can lead to disclosure of session cookies, injection of administrative actions (e.g., creation of new admin accounts), defacement of the site, or further compromise of the WordPress installation [1]. The attack gains the privilege level of the victim user; if the victim is an administrator, the entire site can be controlled.

Mitigation

The plugin was closed on 2024-03-07 and removed from the WordPress.org plugin directory for a security issue [1]. No patched version has been released, and users are strongly advised to uninstall and remove the External Videos plugin immediately [1]. There is no known official fix, and the plugin is considered end-of-life. It is not listed on the CISA KEV catalog.