CVE-2024-13156 identifies a DOM-based stored Cross-Site Scripting vulnerability in the HTML5 Video Player – mp4 Video Player Plugin and Block developed by bplugins for WordPress. This vulnerability exists in all versions up to 2.5.35 due to improper neutralization of input during web page generation, specifically insufficient sanitization and output escaping of the ‘heading’ parameter. Authenticated users with Contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages where the plugin is used. When other users access these pages, the injected scripts execute in their browsers within the context of the vulnerable site, potentially compromising user sessions, stealing cookies, or performing unauthorized actions. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and has a CVSS v3.1 base score of 6.4, indicating medium severity. The attack vector is network-based with low attack complexity, requiring only low privileges (Contributor) and no user interaction beyond page access. The scope is changed because the vulnerability affects other users beyond the attacker. No public exploits have been reported yet, but the vulnerability’s characteristics make it a credible threat to WordPress sites using this plugin. The lack of available patches at the time of reporting necessitates immediate mitigation steps to reduce risk.

The primary impact of CVE-2024-13156 is the compromise of confidentiality and integrity for websites using the affected plugin. Attackers with Contributor-level access can inject malicious scripts that execute in the browsers of site visitors and administrators, potentially leading to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and website defacement. Although availability is not directly impacted, the reputational damage and loss of user trust can be significant. Since Contributor-level users are often allowed to create and edit content, this vulnerability expands the attack surface to a broader range of users than just administrators. The vulnerability’s exploitation could facilitate further attacks such as privilege escalation or persistent backdoors. Organizations relying on WordPress sites with this plugin, especially those with high traffic or sensitive user data, face increased risk of data breaches and operational disruption. The absence of known exploits in the wild currently limits immediate widespread impact but does not preclude future exploitation.

Organizations should immediately audit their WordPress installations to identify the presence of the bplugins HTML5 Video Player – mp4 Video Player Plugin and Block. Until an official patch is released, restrict Contributor-level user permissions to the minimum necessary, and consider temporarily disabling or removing the plugin if feasible. Implement strict input validation and output encoding on all user-supplied data, especially parameters like ‘heading’ that are rendered in pages. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injection attempts targeting this parameter. Monitor logs for unusual activity from Contributor accounts and anomalous page content changes. Educate content contributors about the risks of injecting untrusted content. Once a patch becomes available, apply it promptly and verify the fix through testing. Additionally, consider deploying Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Regularly update all WordPress plugins and core installations to minimize exposure to similar vulnerabilities.