WordPress Plugin Vulnerabilities

Flash & HTML5 Video < 2.5.31 - Missing Authorization

Description

The Flash & HTML5 Video plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX actions in versions up to, and including, 2.5.30. This makes it possible for authenticated attackers, with subscriber-level access and above, to update views, create thumbnails, and more.

Affects Plugins

Plugin icon
html5-video-player
Fixed in 2.5.31

References

CVE
CVE-2024-43296
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/84ce21b9-91ac-4990-8665-69a1461147ab

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Ananda Dhakal
Verified
No
WPVDB ID
180a8673-97a5-4789-aa74-d65455357544

Timeline

Publicly Published
2024-08-16 (about 1 year ago)
Added
2024-08-22 (about 1 year ago)
Last Updated
2024-08-22 (about 1 year ago)

Other

Published
Title
Published
2025-08-11
Title
B Blocks < 2.0.7 - Missing Authorization to Unauthenticated Privilege Escalation via rgfr_registration Function
Published
2025-03-31
Title
Vitepos < 3.1.5 - Missing Authorization
Published
2025-12-11
Title
Masker for Elementor <= 1.1.4 - Missing Authorization
Published
2025-01-16
Title
Debug Tool <= 2.2 - Missing Authorization
Published
2025-12-23
Title
Brave < 0.8.4 - Missing Authorization