CVE-2022-25607 – WordPress FV Flowplayer Video Player plugin <= 7.5.15.727 - SQL Injection (SQLi) vulnerability
https://notcve.org/view.php?id=CVE-2022-25607
Authenticated (author or higher user role) SQL Injection (SQLi) vulnerability discovered in FV Flowplayer Video Player WordPress plugin (versions <= 7.5.15.727). Se ha detectado una vulnerabilidad de inyección SQL (SQLi) Autenticada (rol de autor o usuario superior) en el plugin FV Flowplayer Video Player de WordPress (versiones anteriores a 7.5.15.727 incluyéndola) • https://patchstack.com/database/vulnerability/fv-wordpress-flowplayer/wordpress-fv-flowplayer-video-player-plugin-7-5-15-727-sql-injection-sqli-vulnerability https://wordpress.org/plugins/fv-wordpress-flowplayer/#developers • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2021-39350 – FV Flowplayer Video Player <= 7.5.0.727 - 7.5.2.727 Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-39350
The FV Flowplayer Video Player WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the player_id parameter found in the ~/view/stats.php file which allows attackers to inject arbitrary web scripts, in versions 7.5.0.727 - 7.5.2.727. El plugin FV Flowplayer Video Player de WordPress es vulnerable a un ataque de tipo Cross-Site Scripting Reflejado por medio del parámetro player_id encontrado en el archivo ~/view/stats.php que permite a atacantes inyectar scripts web arbitrarios, en versiones 7.5.0.727 - 7.5.2.727 • https://plugins.trac.wordpress.org/changeset/2580834/fv-wordpress-flowplayer/trunk/view/stats.php https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39350 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-35748 – FV Flowplayer Video Player <= 7.4.37.727 - Authenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-35748
Cross-site scripting (XSS) vulnerability in models/list-table.php in the FV Flowplayer Video Player plugin before 7.4.37.727 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the fv_wp_fvvideoplayer_src JSON field in the data parameter. Una vulnerabilidad de tipo Cross-site scripting (XSS) en el archivo models/list-table.php en el plugin FV Flowplayer Video Player versiones anteriores a 7.4.37.727, para WordPress permite a usuarios autenticados remotos inyectar un script web o HTML arbitrario por medio del campo JSON fv_wp_fvvideoplayer_src en el parámetro data • https://docs.google.com/document/d/1xUTEmWqfy3u3KBSTjxCAGe3gIF15awFmzgCXrKfVl2U/edit?usp=sharing https://github.com/arkango • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-13573 – FV Flowplayer Video Player <= 7.3.18.727 - SQL Injection
https://notcve.org/view.php?id=CVE-2019-13573
A SQL injection vulnerability exists in the FolioVision FV Flowplayer Video Player plugin before 7.3.19.727 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system. Existe una vulnerabilidad de inyección SQL en el plugin FolioVision FV Flowplayer Video Player en versiones anteriores a la 7.3.19.727 para WordPress. La explotación con éxito de esta vulnerabilidad podría permitir que un atacante remoto ejecute comandos SQL en el sistema afectado. • https://fortiguard.com/zeroday/FG-VD-19-097 https://plugins.trac.wordpress.org/changeset/2121566/fv-wordpress-flowplayer/trunk/models/db.php https://wordpress.org/plugins/fv-wordpress-flowplayer/#developers https://wpvulndb.com/vulnerabilities/9451 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2019-14801 – FV Flowplayer Video Player <= 7.3.14.727 - SQL Injection
https://notcve.org/view.php?id=CVE-2019-14801
The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress allows email subscription SQL injection. El plugin FV Flowplayer Video Player en versiones anteriores a 7.3.15.727 para WordPress, permite una inyección SQL en la suscripción de correo electrónico. • https://wordpress.org/plugins/fv-wordpress-flowplayer/#developers • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •