CVE-2024-13156
📋 TL;DR
This vulnerability allows authenticated WordPress users with Contributor-level access or higher to inject malicious JavaScript into website pages via the HTML5 Video Player plugin. The injected scripts execute whenever other users view the compromised pages, enabling session hijacking, defacement, or malware distribution. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- HTML5 Video Player – mp4 Video Player Plugin and Block for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, install backdoors, redirect users to malicious sites, or completely compromise the WordPress site and potentially the underlying server.
Likely Case
Attackers with contributor access inject malicious scripts to steal user session cookies, redirect visitors to phishing pages, or deface the website with malicious content.
If Mitigated
With proper input validation and output escaping, the vulnerability would be prevented, and only authenticated users could access administrative functions.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once an attacker has contributor credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.5.36 or later
Vendor Advisory: https://wordpress.org/plugins/html5-video-player/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'HTML5 Video Player'. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.5.36+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the HTML5 Video Player plugin until patched
wp plugin deactivate html5-video-player
Restrict user roles
allTemporarily remove Contributor role access or limit to trusted users only
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
- Use web application firewall (WAF) rules to block suspicious heading parameter values
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for HTML5 Video Player version. If version is 2.5.35 or lower, you are vulnerable.Check Version:
wp plugin get html5-video-player --field=versionVerify Fix Applied:
After updating, verify plugin version shows 2.5.36 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin with heading parameter containing script tags
- Multiple failed login attempts followed by successful contributor login
Network Indicators:
- JavaScript payloads in heading parameter values
- Unexpected outbound connections from WordPress site
SIEM Query:
source="wordpress" AND ("heading" AND ("<script" OR "javascript:" OR "onerror="))🔗 References
- https://plugins.trac.wordpress.org/browser/html5-video-player/trunk/dist/frontend.js
- https://plugins.trac.wordpress.org/changeset/3221089/
- https://wordpress.org/plugins/html5-video-player/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e0b26af2-d559-49bf-841a-1974360b3ad6?source=cve
