WordPress Plugin Vulnerabilities

FV Flowplayer Video Player < 7.5.45.7212 - Authenticated (Contributor+) Arbitrary Redirect

Description

The FV Flowplayer Video Player plugin for WordPress is vulnerable to unauthorized redirects in all versions up to, and including, 7.5.44.7212. This is due to the plugin not restricting contributor and above users from being able to add redirects at the end of videos. This makes it possible for authenticated attackers, with contributor-level access and above, to redirect administrators to arbitrary sites that can be malicious.

Affects Plugins

Plugin icon
fv-wordpress-flowplayer
Fixed in 7.5.45.7212

References

CVE
CVE-2024-32078
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/360010f3-9053-4c69-a4e8-12f0c77ba746

Classification

Type
REDIRECT
OWASP top 10
A1: Injection
CWE
CWE-601
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Byeongjun Jo
Verified
No
WPVDB ID
820d6ee8-aa32-437f-beb0-8f7d7fd10617

Timeline

Publicly Published
2024-04-11 (about 2 years ago)
Added
2024-04-18 (about 2 years ago)
Last Updated
2024-04-18 (about 2 years ago)

Other

Published
Title
Published
2021-06-01
Title
MC4WP: Mailchimp for WordPress < 4.8.5 - Authenticated Arbitrary Redirect
Published
2025-04-07
Title
Advanced Advertising System <= 1.3.1 - Open Redirect
Published
2025-04-09
Title
WebinarPress <= 1.33.27 - Open Redirect
Published
2014-05-07
Title
Prostore < 1.1.3 - Open Redirection
Published
2014-08-01
Title
WPtouch 1.9.27 - 'wptouch_redirect' Parameter URI Redirection