Video on Admin Dashboard is vulnerable to stored XSS. When a user has admin capabilities, malicious code can be submitted through the plugin’s options.

Fixed in version 1.1.4.

Proof of concept

A user can insert a simple script in the Widget Title text field, e.g. “><script>alert(‘XSS’);</script>. Every specified user role by the plugin will now be targeted by the script.

Video example:

Plugin details

Plugin name: Video on Admin Dashboard
Plugin URL:
Plugin author: Nahiro


  • Friday 10th of january 2020: Vulnerability detected by Jeroen Mulder. Plugin’s author notified
  • Saturday 11th of january 2020: Vulnerability fixed by the author in version 1.1.4
  • Sunday 12th of january 2020: Vulnerability made public on

Geschreven door:

Jeroen Mulder

Jeroen kookt, hackt en beklimt bergen.