CVE-2024-5205 in Videojs HTML5 Player Plugin
Summary
by MITRE • 05/24/2024
The Videojs HTML5 Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's videojs_video shortcode in all versions up to, and including, 1.1.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/28/2025
The Videojs HTML5 Player plugin for WordPress represents a critical security vulnerability through its stored cross-site scripting flaw that affects all versions up to and including 1.1.11. This vulnerability specifically manifests within the plugin's videojs_video shortcode implementation where insufficient input sanitization and output escaping mechanisms fail to properly validate user-supplied attributes. The flaw exists at the core of how the plugin processes shortcode parameters, creating an attack vector that allows malicious actors to inject persistent script code into the plugin's processing pipeline.
The technical execution of this vulnerability requires authenticated attackers who possess contributor-level access or higher privileges within the WordPress environment. This access level is significant because it represents a relatively low barrier to entry for threat actors who can leverage existing user accounts with minimal escalation requirements. Once an attacker gains this level of access, they can manipulate the videojs_video shortcode parameters to include malicious script payloads that will be stored within the plugin's data handling mechanism.
The operational impact of this vulnerability extends beyond simple script injection as it creates a persistent threat vector that can affect all users who subsequently view pages containing the compromised shortcode. When victims access pages with injected scripts, the malicious code executes in their browsers according to the attacker's design, potentially enabling session hijacking, credential theft, or redirection to malicious sites. The stored nature of this XSS vulnerability means that the malicious payloads remain active until manually removed by administrators, creating prolonged exposure windows.
This vulnerability aligns with CWE-79 - Improper Neutralization of Input During Web Page Generation, which specifically addresses insufficient input sanitization leading to cross-site scripting attacks. From an ATT&CK framework perspective, this represents a technique for maintaining persistent access through web application vulnerabilities and could be categorized under T1566 - Phishing and T1071.3 - Application Layer Protocol: Dns for potential command and control communications. The flaw demonstrates poor input validation practices that violate secure coding principles established in OWASP Top Ten and the Secure Coding Guidelines.
Mitigation strategies should begin with immediate patching to versions that address the input sanitization deficiencies, though administrators must first assess their current plugin installations and ensure proper backup procedures are in place before applying updates. Additionally, implementing proper input validation and output escaping mechanisms at all points where user-supplied data enters the system would prevent similar vulnerabilities from occurring. Regular security audits of WordPress plugins should include verification of sanitization practices and privilege access controls to prevent unauthorized users from exploiting such vulnerabilities. Network monitoring solutions should also be configured to detect anomalous script execution patterns that might indicate exploitation attempts.
The vulnerability highlights fundamental security gaps in plugin development practices where user input validation is insufficiently implemented, particularly for shortcode parameters that are processed without adequate sanitization. This represents a common pattern in WordPress plugin development where developers may not fully appreciate the security implications of processing user-supplied attributes through shortcodes, leading to widespread exposure across numerous installations. Organizations should implement comprehensive security training for developers working with WordPress plugins and establish mandatory code review processes that specifically verify input validation and output escaping mechanisms are properly implemented.