CVE-2024-43296 – WordPress HTML5 Video Player plugin <= 2.5.30 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-43296
Missing Authorization vulnerability in bPlugins LLC Flash & HTML5 Video allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flash & HTML5 Video: from n/a through 2.5.30. The Flash & HTML5 Video plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX actions in versions up to, and including, 2.5.30. This makes it possible for authenticated attackers, with subscriber-level access and above, to update views, create thumbnails, and more. • https://patchstack.com/database/vulnerability/html5-video-player/wordpress-html5-video-player-plugin-2-5-30-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVE-2024-43319 – WordPress HTML5 Video Player plugin <= 2.5.31 - Sensitive Data Exposure vulnerability
https://notcve.org/view.php?id=CVE-2024-43319
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in bPlugins LLC Flash & HTML5 Video.This issue affects Flash & HTML5 Video: from n/a through 2.5.31. The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.31 via the h5vp_export_data() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract potentially sensitive information from exports. • https://patchstack.com/database/vulnerability/html5-video-player/wordpress-html5-video-player-plugin-2-5-31-sensitive-data-exposure-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2014-4534 – HTML5 Video Player with Playlist <= 2.4.0 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-4534
Multiple cross-site scripting (XSS) vulnerabilities in videoplayer/autoplay.php in the HTML5 Video Player with Playlist plugin 2.4.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) theme or (2) playlistmod parameter. Múltiples vulnerabilidades de XSS en videoplayer/autoplay.php en el plugin HTML5 Video Player with Playlist 2.4.0 y anteriores para WordPress permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro (1) theme o (2) playlistmod. The HTML5 Video Player with Playlist plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'theme' and 'playlistmod' parameters in videoplayer/autoplay.php in versions up to, and including, 2.4.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • http://codevigilant.com/disclosure/wp-plugin-html5-video-player-with-playlist-a3-cross-site-scripting-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •