Time-Based SQL Injection Vulnerability in FV Flowplayer Video Player
CVE-2024-6338

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Fv FloWPlayer Video Player
Vendor: CVE Published:; 19 July 2024

Summary

The FV Flowplayer Video Player plugin for WordPress is susceptible to a time-based SQL Injection vulnerability. This issue exists due to improper handling of the ‘exclude’ parameter, where the lack of sufficient escaping on user-supplied data allows attackers with Subscriber-level access or higher to inject additional SQL queries. This exploitation could lead to unauthorized access and extraction of sensitive data from the database, posing a significant risk to affected WordPress installations. It is imperative for site administrators to update to the latest plugin version to mitigate this risk.

Affected Version(s)

FV Flowplayer Video Player * <= 7.5.46.7212

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/fv-wordpress-f...

https://wordpress.org/plugins/fv-wordpress-flowplayer/#de...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 19, 2024
Vulnerability Reserved
Jun 25, 2024

Credit

Arkadiusz Hydzik