CVE-2024-12504
📋 TL;DR
This stored XSS vulnerability in the Broadcast Live Video WordPress plugin allows authenticated attackers with contributor-level access or higher to inject malicious scripts via the 'videowhisper_hls' shortcode. The scripts execute when users view pages containing the injected shortcode, potentially compromising visitor sessions. All WordPress sites using this plugin up to version 6.1.9 are affected.
💻 Affected Systems
- Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, deface websites, redirect visitors to malicious sites, or install backdoors for persistent access.
Likely Case
Session hijacking of visitors, cookie theft, or displaying malicious content to users viewing affected pages.
If Mitigated
Limited to authenticated users with contributor+ access; visitors see sanitized content if output escaping is implemented.
🎯 Exploit Status
Exploitation requires contributor-level WordPress access; XSS payloads can be delivered via shortcode attributes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.2.0 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Broadcast Live Video – Live Streaming' plugin. 4. Click 'Update Now' if available, or manually update to version 6.2.0+. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Remove vulnerable shortcode usage
allTemporarily disable or remove instances of the 'videowhisper_hls' shortcode from posts/pages
Restrict user roles
allLimit contributor-level access to trusted users only until patching
🧯 If You Can't Patch
- Disable the plugin entirely until patching is possible
- Implement web application firewall (WAF) rules to block XSS payloads in shortcode attributes
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for 'Broadcast Live Video – Live Streaming' version 6.1.9 or lowerCheck Version:
wp plugin list --name='videowhisper-live-streaming-integration' --field=versionVerify Fix Applied:
Confirm plugin version is 6.2.0 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual shortcode modifications by contributor-level users
- Multiple failed login attempts followed by shortcode edits
Network Indicators:
- Unexpected script loads from WordPress pages containing videowhisper_hls shortcode
SIEM Query:
source="wordpress" AND (event="plugin_edit" OR event="post_update") AND user_role="contributor" AND plugin_name="videowhisper-live-streaming-integration"🔗 References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3218331%40videowhisper-live-streaming-integration&new=3218331%40videowhisper-live-streaming-integration&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/74b27798-3c6f-4c4e-80f8-7aa40f704fb7?source=cve
