Stored Cross-Site Scripting and Arbitrary Usermeta Update in FV Flowplayer Video Player Plugin
CVE-2023-4520

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: FV Flowplayer Video Player
Vendor: CVE Published:; 25 August 2023

Summary

The FV Flowplayer Video Player plugin for WordPress is susceptible to Stored Cross-Site Scripting via the '_fv_player_user_video' parameter, which can be manipulated by unauthenticated attackers. This vulnerability stems from inadequate input sanitization and output escaping within the 'save' function hooked to 'init'. Attackers can inject malicious web scripts that execute when users access affected pages, posing a significant risk to user data integrity. Additionally, the plugin is vulnerable to Arbitrary Usermeta Update, allowing attackers to alter user meta information, though the meta value is restricted to strings. This can compromise user accounts and disrupt user experience.

Affected Version(s)

FV Flowplayer Video Player * <= 7.5.37.7212

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/2957322/fv-w...

https://plugins.trac.wordpress.org/browser/fv-wordpress-f...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Aug 25, 2023
Vulnerability Reserved
Aug 24, 2023

Credit

Lana Codes