WordPress HTML5 MP3 Player with Playlist plugin XSS and SQL Injection Vulnerabilities

SecPod Research Team member (Thanga Prakash) has found Multiple Cross-site Scripting Vulnerabilities and SQL injection vulnerability in WordPress HTML5 MP3 Player with Playlist plugin. The vulnerability is caused by improper validation of various parameters in various pages. This may allow an attacker to steal cookie-based authentication credentials, inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

Complete Advisory information can be found here.

Advisory in CVRF format can be found here.

Welcome any feedback or suggestions.

SecPod Research Team