MidnightBSD

Advisories for videowhisper

CVE-2010-4971 MEDIUM

Cross-site scripting (XSS) vulnerability in VideoWhisper PHP 2 Way Video Chat component for Joomla! allows remote attackers to inject arbitrary web script or HTML via the r parameter to index.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
videowhisper php_2_way_video_chat *
CVE-2013-5714 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in ls/htmlchat.php in the VideoWhisper Live Streaming Integration plugin 4.25.3 and possibly earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) message parameter. NOTE: some of these details are obtained from third party information.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
videowhisper videowhisper_live_streaming_integration 2.1
videowhisper videowhisper_live_streaming_integration 2.0
videowhisper live_streaming_integration_plugin 4.07
videowhisper live_streaming_integration_plugin 2.1
videowhisper videowhisper_live_streaming_integration 4.25
videowhisper videowhisper_live_streaming_integration 1.0.2
videowhisper videowhisper_live_streaming_integration *
videowhisper live_streaming_integration_plugin 2.0
videowhisper live_streaming_integration_plugin 4.05
videowhisper videowhisper_live_streaming_integration 4.07
videowhisper live_streaming_integration_plugin 1.0.2
videowhisper live_streaming_integration_plugin 4.25
videowhisper videowhisper_live_streaming_integration 4.05
videowhisper live_streaming_integration_plugin 2.2
videowhisper live_streaming_integration_plugin *
videowhisper videowhisper_live_streaming_integration 2.2
CVE-2014-1905 HIGH

Unrestricted file upload vulnerability in ls/vw_snapshots.php in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a file with a double extension, and then accessing the file via a direct request to a wp-content/plugins/videowhisper-live-streaming-integration/ls/snapshots/ pathname, as demonstrated by a .php.jpg filename.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,

Products Affected

Vendor Product Version
videowhisper videowhisper_live_streaming_integration *
CVE-2014-1906 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) m parameter to lb_status.php; (2) msg parameter to vc_chatlog.php; n parameter to (3) channel.php, (4) htmlchat.php, (5) video.php, or (6) videotext.php; (7) message parameter to lb_logout.php; or ct parameter to (8) lb_status.php or (9) v_status.php in ls/.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
videowhisper videowhisper_live_streaming_integration 2.1
videowhisper videowhisper_live_streaming_integration 2.0
videowhisper live_streaming_integration_plugin 4.07
videowhisper live_streaming_integration_plugin 2.1
videowhisper videowhisper_live_streaming_integration 4.25
videowhisper videowhisper_live_streaming_integration 1.0.2
videowhisper live_streaming_integration_plugin 4.27.3
videowhisper videowhisper_live_streaming_integration *
videowhisper live_streaming_integration_plugin 4.27
videowhisper live_streaming_integration_plugin 2.0
videowhisper live_streaming_integration_plugin 4.05
videowhisper videowhisper_live_streaming_integration 4.07
videowhisper live_streaming_integration_plugin 1.0.2
videowhisper videowhisper_live_streaming_integration 4.25.3
videowhisper live_streaming_integration_plugin 4.25
videowhisper videowhisper_live_streaming_integration 4.05
videowhisper live_streaming_integration_plugin 2.2
videowhisper live_streaming_integration_plugin *
videowhisper live_streaming_integration_plugin 4.25.3
videowhisper videowhisper_live_streaming_integration 2.2
CVE-2014-1907 MEDIUM

Multiple directory traversal vulnerabilities in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allow remote attackers to (1) read arbitrary files via a .. (dot dot) in the s parameter to ls/rtmp_login.php or (2) delete arbitrary files via a .. (dot dot) in the s parameter to ls/rtmp_logout.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
videowhisper videowhisper_live_streaming_integration 2.1
videowhisper videowhisper_live_streaming_integration 2.0
videowhisper live_streaming_integration_plugin 4.07
videowhisper live_streaming_integration_plugin 2.1
videowhisper videowhisper_live_streaming_integration 4.25
videowhisper videowhisper_live_streaming_integration 1.0.2
videowhisper live_streaming_integration_plugin 4.27.3
videowhisper videowhisper_live_streaming_integration *
videowhisper live_streaming_integration_plugin 4.27
videowhisper live_streaming_integration_plugin 2.0
videowhisper live_streaming_integration_plugin 4.05
videowhisper videowhisper_live_streaming_integration 4.07
videowhisper live_streaming_integration_plugin 1.0.2
videowhisper videowhisper_live_streaming_integration 4.25.3
videowhisper live_streaming_integration_plugin 4.25
videowhisper videowhisper_live_streaming_integration 4.05
videowhisper live_streaming_integration_plugin 2.2
videowhisper live_streaming_integration_plugin *
videowhisper live_streaming_integration_plugin 4.25.3
videowhisper videowhisper_live_streaming_integration 2.2
CVE-2014-1908 MEDIUM

The error-handling feature in (1) bp.php, (2) videowhisper_streaming.php, and (3) ls/rtmp.inc.php in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allows remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
videowhisper videowhisper_live_streaming_integration *
CVE-2014-2297 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the VideoWhisper Live Streaming Integration plugin 4.29.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) n parameter to ls/htmlchat.php or (2) bgcolor parameter to ls/index.php. NOTE: vector 1 may overlap CVE-2014-1906.4.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
videowhisper videowhisper_live_streaming_integration 4.29.6
CVE-2014-2715 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in vwrooms\templates\logout.tpl.php in the VideoWhisper Webcam plugins for Drupal 7.x allow remote attackers to inject arbitrary web script or HTML via the (1) module or (2) message parameter to index.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
videowhisper videowhisper 7.x-1.3
videowhisper videowhisper 7.x-1.0
videowhisper videowhisper 7.x-1.1
videowhisper videowhisper 7.x-1.x
CVE-2014-4567 MEDIUM

Cross-site scripting (XSS) vulnerability in comments/videowhisper2/r_logout.php in the Video Comments Webcam Recorder plugin 1.55, as downloaded before 20140116 for WordPress allows remote attackers to inject arbitrary web script or HTML via the message parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
videowhisper video_comments_webcam_recorder *
CVE-2014-4568 MEDIUM

Cross-site scripting (XSS) vulnerability in posts/videowhisper/r_logout.php in the Video Posts Webcam Recorder plugin 1.55.4 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the message parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
videowhisper video_posts_webcam_recorder *
CVE-2014-4569 MEDIUM

Cross-site scripting (XSS) vulnerability in ls/vv_login.php in the VideoWhisper Live Streaming Integration plugin 4.27.2 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the room_name parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
videowhisper videowhisper_live_streaming_integration 2.1
videowhisper videowhisper_live_streaming_integration 2.0
videowhisper videowhisper_live_streaming_integration 4.07
videowhisper videowhisper_live_streaming_integration 4.25
videowhisper videowhisper_live_streaming_integration 4.05
videowhisper videowhisper_live_streaming_integration 1.0.2
videowhisper videowhisper_live_streaming_integration 4.27.2
videowhisper videowhisper_live_streaming_integration *
videowhisper videowhisper_live_streaming_integration 2.2
CVE-2014-4570 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the VideoWhisper Video Presentation plugin before 3.31 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) room_name parameter to c_login.php or (2) room parameter to index.php in vp/.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
videowhisper video_presentation *
CVE-2014-8338 MEDIUM

Cross-site scripting (XSS) vulnerability in vwrooms/js/jsor-jcarousel/examples/special_textscroller.php in the VideoWhisper Webcam plugins for Drupal 7.x allows remote attackers to inject arbitrary web script or HTML via a URL to a crafted SVG file in the feed parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
videowhisper webcam 7.x-1.7
CVE-2015-9271 HIGH

The VideoWhisper videowhisper-video-conference-integration plugin 4.91.8 for WordPress allows remote attackers to execute arbitrary code because vc/vw_upload.php considers a file safe when "html" are the last four characters, as demonstrated by a .phtml file containing PHP code, a different vulnerability than CVE-2014-1905.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
videowhisper video_conference 4.91.8
CVE-2015-9272 HIGH

The videowhisper-video-presentation plugin 3.31.17 for WordPress allows remote attackers to execute arbitrary code because vp/vw_upload.php considers a file safe when "html" are the last four characters, as demonstrated by a .phtml file containing PHP code.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
videowhisper video_presentation 3.31.17
CVE-2021-24512 LOW

The Video Posts Webcam Recorder WordPress plugin before 3.2.4 has an authenticated reflected cross site scripting (XSS) vulnerability in one of the administrative functions for handling deletion of videos.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
videowhisper video_posts_webcam_recorder *
CVE-2021-34656 MEDIUM

The 2Way VideoCalls and Random Chat - HTML5 Webcam Videochat WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the `vws_notice` function found in the ~/inc/requirements.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 5.2.7.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@wordfence.com 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
videowhisper 2way_videocalls_and_random_chat *
CVE-2022-27629 MEDIUM

Cross-site request forgery (CSRF) vulnerability in 'MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership' versions prior to 1.9.6 allows a remote unauthenticated attacker to hijack the authentication of an administrator and perform unintended operation via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
videowhisper micropayments *
CVE-2023-25699

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in VideoWhisper.Com VideoWhisper Live Streaming Integration allows OS Command Injection.This issue affects VideoWhisper Live Streaming Integration: from n/a through 5.5.15.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
audit@patchstack.com 9.0 CRITICAL CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 2.2 6.0

Products Affected

Vendor Product Version
videowhisper videowhisper_live_streaming_integration *
CVE-2023-52213

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VideoWhisper Rate Star Review – AJAX Reviews for Content, with Star Ratings allows Reflected XSS.This issue affects Rate Star Review – AJAX Reviews for Content, with Star Ratings: from n/a through 1.5.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
audit@patchstack.com 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L 2.8 3.7
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
videowhisper rate_star_review *
CVE-2024-12504

The Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'videowhisper_hls' shortcode in all versions up to, and including, 6.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7
security@wordfence.com 6.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N 3.1 2.7

Products Affected

Vendor Product Version
videowhisper broadcast_live_video *
videowhisper videowhisper_live_streaming_integration *
CVE-2024-13584

The Picture Gallery – Frontend Image Uploads, AJAX Photo List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'videowhisper_pictures' shortcode in all versions up to, and including, 1.5.19 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@wordfence.com 6.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N 3.1 2.7
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
videowhisper picture_gallery *
CVE-2024-34759

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in VideoWhisper Picture Gallery allows Stored XSS.This issue affects Picture Gallery: from n/a through 1.5.11.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
audit@patchstack.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L 2.3 3.7

Products Affected

Vendor Product Version
videowhisper picture_gallery *
CVE-2025-48255

Cross-Site Request Forgery (CSRF) vulnerability in videowhisper Broadcast Live Video videowhisper-live-streaming-integration allows Cross Site Request Forgery.This issue affects Broadcast Live Video: from n/a through <= 6.2.4.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
audit@patchstack.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
videowhisper broadcast_live_video *
videowhisper videowhisper_live_streaming_integration *
CVE-2025-5937

The MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Wallet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.0. This is due to missing or incorrect nonce validation on the adminOptions() function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@wordfence.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
videowhisper micropayments *