WordPress Plugin Vulnerabilities

FV Flowplayer Video Player < 7.5.18.727 - Author+ SQLi

Description

The plugin does not sanitise and escape some parameters before using them in SQL statement, which could allow users with a role as low as Author to perform SQL injection attacks

Affects Plugins

Plugin icon
fv-wordpress-flowplayer
Fixed in 7.5.18.727

References

CVE
CVE-2022-25607
URL
https://plugins.trac.wordpress.org/changeset/2696049

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Tien Nguyen Anh
Verified
No
WPVDB ID
cc8c6223-628d-44d3-a3a9-3570341f9c28

Timeline

Publicly Published
2022-03-18 (about 4 years ago)
Added
2022-03-20 (about 4 years ago)
Last Updated
2022-04-11 (about 4 years ago)

Other

Published
Title
Published
2021-09-20
Title
MainWP Child Reports < 2.0.8 - Admin+ SQL Injection
Published
2024-05-06
Title
Shipment Tracking, Tracking, and Order Tracking for WooCommerce – ParcelPanel (Free to install) < 3.9.0 - Authenticated (Subscriber+) SQL Injection
Published
2022-05-02
Title
Nirweb support < 2.8.2 - Unauthenticated SQLi
Published
2014-08-01
Title
Wordpress <= 2.0.6 wp-trackback.php Remote SQL Injection Exploit
Published
2018-12-28
Title
Adicon Server <= 1.2 - SQL Injection