Stored Cross-Site Scripting in Broadcast Live Video Streaming Plugin for WordPress
CVE-2024-12504
5.4MEDIUM
Key Information:
- Vendor
Wordpress
- Vendor
- CVE Published:
- 23 January 2025
What is CVE-2024-12504?
The Broadcast Live Video – Live Streaming plugin for WordPress is exposed to a Stored Cross-Site Scripting vulnerability through the 'videowhisper_hls' shortcode. This flaw arises from inadequate input sanitization and output escaping for user-supplied attributes. As a result, authenticated users with contributor-level access or higher can inject malicious JavaScript into web pages. Such scripts will execute whenever a user visits the compromised page, posing significant security risks to affected sites.
Affected Version(s)
Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP * <= 6.1.9