The plugin was vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability within the "Default Skin" field.
Proof of Concept
Step1: Install and activate the plugin. Step2: Go to the plugin setting. Step3: Enter the following payload in the field "Default Skin" xss"></td></tr></table><script>alert(1)</script><input type='text' name="hflv_skin" value="xss Step4: Now the script is stored and whenever the user goes to the plugin the script will be executed.
No known fix
2021-05-05 (about 4 months ago)
2021-05-06 (about 4 months ago)
2021-05-07 (about 4 months ago)