WordPress Plugin Vulnerabilities

FV Flowplayer Video Player < 7.5.31.7212 - Settings Toggle via CSRF

Description

The plugin does not have CSRF check when toggling ads settings, which could allow attackers to make logged in admins perform such action via a CSRF attack

Affects Plugins

Plugin icon
fv-wordpress-flowplayer
Fixed in 7.5.31.7212

References

CVE
CVE-2023-25066

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Cat
Verified
No
WPVDB ID
415f4fa7-17af-4c52-b702-d6d98873c36f

Timeline

Publicly Published
2023-02-14 (about 3 years ago)
Added
2023-02-14 (about 3 years ago)
Last Updated
2023-02-14 (about 3 years ago)

Other

Published
Title
Published
2024-02-26
Title
Gestpay for WooCommerce < 20240307 - Cross-Site Request Forgery (CSRF) via ajax_set_default_card
Published
2021-03-01
Title
WP Private Content Plus < 3.2 - Cross-Site Request Forgery
Published
2025-01-16
Title
WP Lyrics <= 0.4.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2019-06-26
Title
Ads For WP <= 1.8 - Cross-Site Request Forgery (CSRF)
Published
2018-05-28
Title
JS Job <= 1.0.6 - CSRF