A critical cross-site scripting (XSS) vulnerability has been identified in the Radio Forge Muses Player with Skins Plugin for WordPress. The vulnerability could allow an attacker to inject malicious scripts into a web page. This vulnerability was discovered and reported by Le Ngoc Anh.

The vulnerability is due to a failure to properly sanitize user input in the Radio Forge Muses Player with Skins Plugin. This allows an attacker to inject malicious scripts into the input fields that are used by the plugin.

The vulnerability can be exploited by sending a specially crafted request to the affected system. This request will contain the malicious script that the attacker wants to inject. If the request is successful, the malicious script will be executed when the web page is displayed to the victim.

Severity

The vulnerability has a CVSS 3.1 score of 9.8, which is considered to be critical. This means that the vulnerability is very likely to be exploited and could have a significant impact on the confidentiality, integrity, or availability of a system.

Affected Versions

The vulnerability affects Radio Forge Muses Player with Skins Plugin version 7.1.

Impact

An attacker who successfully exploits this vulnerability could inject malicious scripts into a web page that is displayed to a victim. These scripts could then be executed by the victim when they view the web page. This could allow the attacker to steal sensitive data, install malware, or disrupt the operation of the system.

Recommendation

Users of Radio Forge Muses Player with Skins Plugin are advised not to use this plugin. There is no patched version available and the vendor has not responded to reports of the vulnerability.