CVE-2014-1906 in Live Streaming Integration plugin
Summary
by MITRE
Multiple cross-site scripting (XSS) vulnerabilities in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) m parameter to lb_status.php; (2) msg parameter to vc_chatlog.php; n parameter to (3) channel.php, (4) htmlchat.php, (5) video.php, or (6) videotext.php; (7) message parameter to lb_logout.php; or ct parameter to (8) lb_status.php or (9) v_status.php in ls/.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 08/20/2025
The vulnerability CVE-2014-1906 represents a critical cross-site scripting flaw within the VideoWhisper Live Streaming Integration plugin for WordPress, affecting versions prior to 4.29.5. This plugin facilitates live streaming integration capabilities for WordPress websites, making it a potentially attractive target for attackers seeking to exploit web application vulnerabilities. The flaw stems from insufficient input validation and output encoding practices within multiple script files that handle user-supplied data, creating persistent XSS attack vectors that can be leveraged by remote adversaries without authentication.
The technical implementation of this vulnerability manifests through multiple attack vectors across different PHP scripts within the plugin's codebase. Attackers can exploit the vulnerability by injecting malicious scripts through various parameters including the m parameter in lb_status.php, the msg parameter in vc_chatlog.php, and multiple parameters such as n in channel.php, htmlchat.php, video.php, and videotext.php. Additional attack vectors exist through the message parameter in lb_logout.php and the ct parameter in both lb_status.php and v_status.php within the ls/ directory. These parameters receive user input without proper sanitization or encoding, allowing malicious payloads to be executed in the context of other users' browsers when they view affected pages.
The operational impact of this vulnerability extends beyond simple data theft or defacement, as it enables attackers to perform session hijacking, redirect users to malicious sites, or inject persistent malicious content that can compromise user sessions and potentially spread to other connected systems. The vulnerability affects the core functionality of the live streaming plugin, making it particularly dangerous for websites that rely on real-time communication features. Attackers could exploit these vulnerabilities to gain unauthorized access to user sessions, steal cookies, or execute arbitrary commands on vulnerable systems, potentially leading to complete compromise of the WordPress installation and associated user data.
Security practitioners should implement immediate mitigation strategies including updating to the patched version 4.29.5 or later, implementing web application firewalls to filter malicious input, and conducting thorough security audits of all installed plugins. The vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws in web applications, and maps to ATT&CK technique T1059.007 for script injection. Organizations should also consider implementing Content Security Policy headers and regular security scanning to prevent similar vulnerabilities from being exploited in the future, as this class of vulnerability represents one of the most common attack vectors in web application security assessments and has historically accounted for a significant percentage of successful web application compromises.