CVE-2024-13156

Vulnerability

Overview

The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting (XSS) in all versions up to and including 2.5.35. The flaw resides in insufficient input sanitization and output escaping of the ‘heading’ parameter, allowing attackers to inject malicious scripts that execute in the context of a victim's browser when they access a page containing the injected content [1].

Exploitation

Prerequisites

Exploitation requires authenticated access with at least Contributor-level permissions. An attacker can inject arbitrary web scripts via the heading parameter, which is then stored and rendered unsafely. The attack is DOM-based, meaning the payload executes client-side without requiring server-side reflection. No special network position is needed beyond the ability to create or edit posts/pages using the plugin's block or shortcode [1].

Impact

Successful exploitation leads to stored XSS, enabling the attacker to execute arbitrary JavaScript in the browsers of users who view the compromised page. This can result in session hijacking, defacement, or theft of sensitive information. The vulnerability affects all users of the plugin, including site visitors and administrators [1].

Mitigation

As of the publication date (2025-01-14), users are advised to update to a patched version beyond 2.5.35. The vendor has not yet released a fix; however, the plugin's developers may address this in a future update. Until then, restricting Contributor-level access or disabling the plugin on untrusted sites can reduce risk [1].