CVE-2022-25607 – WordPress FV Flowplayer Video Player plugin <= 7.5.15.727 - SQL Injection (SQLi) vulnerability
https://notcve.org/view.php?id=CVE-2022-25607
Authenticated (author or higher user role) SQL Injection (SQLi) vulnerability discovered in FV Flowplayer Video Player WordPress plugin (versions <= 7.5.15.727). Se ha detectado una vulnerabilidad de inyección SQL (SQLi) Autenticada (rol de autor o usuario superior) en el plugin FV Flowplayer Video Player de WordPress (versiones anteriores a 7.5.15.727 incluyéndola) • https://patchstack.com/database/vulnerability/fv-wordpress-flowplayer/wordpress-fv-flowplayer-video-player-plugin-7-5-15-727-sql-injection-sqli-vulnerability https://wordpress.org/plugins/fv-wordpress-flowplayer/#developers • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2021-39350 – FV Flowplayer Video Player <= 7.5.0.727 - 7.5.2.727 Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-39350
The FV Flowplayer Video Player WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the player_id parameter found in the ~/view/stats.php file which allows attackers to inject arbitrary web scripts, in versions 7.5.0.727 - 7.5.2.727. El plugin FV Flowplayer Video Player de WordPress es vulnerable a un ataque de tipo Cross-Site Scripting Reflejado por medio del parámetro player_id encontrado en el archivo ~/view/stats.php que permite a atacantes inyectar scripts web arbitrarios, en versiones 7.5.0.727 - 7.5.2.727 • https://plugins.trac.wordpress.org/changeset/2580834/fv-wordpress-flowplayer/trunk/view/stats.php https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39350 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •