WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

FV Flowplayer Video Player <= 7.3.18.727 - SQL Injection

Description

Lack of sanitisation in the order and order_by variable in the getListPageData() function could allow SQL Injection attacks

Affects Plugins

fv-wordpress-flowplayer
Fixed in version 7.3.19.727

References

CVE
CVE-2019-13573
URL
https://plugins.trac.wordpress.org/changeset/2121566
URL
https://github.com/foliovision/fv-wordpress-flowplayer/commit/02bea654fba7ae870c06e768350367903df9855f
URL
https://fortiguard.com/zeroday/FG-VD-19-097
URL
https://www.fortinet.com/blog/threat-research/wordpress-plugin-sql-injection-vulnerability.html

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

Tin Duong

Verified

No

WPVDB ID
bb920dda-27eb-4a0f-98c5-c479343eb141

Timeline

Publicly Published

2019-07-11 (about 2 years ago)

Added

2019-07-12 (about 2 years ago)

Last Updated

2020-09-22 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin