CVE-2024-7629 – The Responsive Video WordPress plugin has a sto... (How to Fix)

📋 TL;DR

The Responsive Video WordPress plugin has a stored XSS vulnerability that allows authenticated attackers with contributor-level access or higher to inject malicious scripts into pages. These scripts execute when users view pages containing responsive videos, potentially compromising visitor browsers. WordPress sites using this plugin version 1.0 or earlier are affected.

💻 Affected Systems

Products:

Responsive Video WordPress Plugin

Versions: All versions up to and including 1.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires responsive videos to be enabled for posts and attacker needs contributor-level WordPress access.

📦 What is this software?

Responsive Video by Kirstyburgoine

View all CVEs affecting Responsive Video →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal admin credentials, redirect users to malicious sites, deface websites, or install malware on visitor systems through persistent script execution.

🟠

Likely Case

Attackers with contributor accounts inject malicious scripts to steal session cookies, redirect users to phishing sites, or display unwanted content.

🟢

If Mitigated

With proper input validation and output escaping, no script injection would occur, maintaining normal plugin functionality.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is technically simple once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 1.0

Vendor Advisory: https://plugins.trac.wordpress.org/browser/responsive-video/trunk/responsive-video.php#L534

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Responsive Video' plugin
4. Click 'Update Now' if update available
5. If no update, deactivate and delete plugin
6. Consider alternative video plugins

🔧 Temporary Workarounds

Disable Responsive Videos

all

Disable responsive video functionality in posts to prevent exploitation

Restrict User Roles

all

Remove contributor-level access from untrusted users

🧯 If You Can't Patch

Deactivate and remove the Responsive Video plugin immediately
Implement web application firewall rules to block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for 'Responsive Video' version 1.0 or earlier

Check Version:

wp plugin list --name=responsive-video --field=version

Verify Fix Applied:

Verify plugin version is higher than 1.0 or plugin is removed

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to video settings endpoints
Suspicious script tags in post content

Network Indicators:

Malicious script payloads in HTTP requests
Unexpected outbound connections from visitor browsers

SIEM Query:

source="wordpress" AND (uri_path="/wp-admin/*" AND method="POST" AND (body="responsive_video" OR body="video_settings"))

📊 Metadata

CVE ID: CVE-2024-7629

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-80

Published: August 21, 2024

Last Updated: September 27, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7629, you might also want to check these: