WordPress Plugin Vulnerabilities

FV Flowplayer Video Player < 7.4.38.727 - Authenticated Stored Cross-Site Scripting (XSS)

Description

The plugin did not sanitise the fv_wp_fvvideoplayer_src parameter when creating or editing the video player, which will then be triggered when viewing the table of players in the admin dashboard

Affects Plugins

Plugin icon
fv-wordpress-flowplayer
Fixed in 7.4.38.727

References

CVE
CVE-2020-35748
URL
https://arkango.github.io/CVE-2020/CVE-2020-35748%20xss%20FV%20Flowplayer%20Video%20Player%20Wordpress%20plugin.html

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
Arcangelo Saracino
Verified
No
WPVDB ID
86b26cde-2b98-4596-b0bc-02d65bd4f764

Timeline

Publicly Published
2021-01-15 (about 3 years ago)
Added
2021-01-15 (about 3 years ago)
Last Updated
2021-01-16 (about 3 years ago)

Other

Published
Title
Published
2023-11-07
Title
Seo By 10Web <= 1.2.9 - Reflected XSS
Published
2014-08-01
Title
Wordpress 1.5.1 - 2.0.2 wp-register.php Multiple Parameter XSS
Published
2023-09-25
Title
ActivityPub for WordPress < 1.0.1 - Contributor+ Stored XSS
Published
2015-04-20
Title
Broken Link Checker <= 1.10.5 - CSRF/XSS
Published
2023-12-11
Title
WP TripAdvisor Review Slider < 11.9 - Admin+ Stored XSS