Another plugin has entered the ever-growing list of vulnerable WordPress plugins. The WordPress free plugin FV Flowplayer Video Player which is being used for embedding FLV or MP4 videos into posts or pages is found to be vulnerable to XSS, SQL injection & CSV Export. Installed on 40,000+ websites at present, it has been updated only 4 days ago after the vulnerabilities were reported. Versions prior to 7.3.14.727 are vulnerable to the mentioned attacks.

FV Flowplayer Video Player SQLi Vulnerability

This rather critical SQLi vulnerability in FV Flowplayer lets an unauthenticated attacker inject malicious JavaScript code.

 

The vulnerable function here is the`wp_ajax_nopriv_fv_wp_flowplayer_email_signup` ajax hook. The ‘email‘ in the above script accepts any input in the email field and the data gets transmitted to the sensitive email database.

In the case of SQLi vulnerability in WordPress, the following signs could help you if your website is being compromised or not. Here is the list:

FV Flowplayer Video Player XSS Vulnerability

The above malicious codes, in turn, gets executed in admin’s web browser.

As discussed earlier the malicious input gets to the email export screen without being sanitized. The consequences of this could be devastating as this might result in persistent cross-site scripting attacks.

It saves anything that the user provides in `email` POST parameter.

 

The XSS vulnerability is quite a severe one as it could lead to rather serious damage to your WordPress website if exploited. Listed below are only a few probable exploits that could bud from XSS vulnerability. Or you could also treat this as a symptom of being compromised:

FV Flowplayer Video Player CSV Export Vulnerability

Another vulnerability that has been uncovered in FV player is the CSV Export Vulnerability. This vulnerability lets any guest user download the subscriber’s list, which in fact is quite a breach of privacy. And particularly dangerous too, this data could be used in various maleficient ways to exploit your WordPress website.

Solutions for Safety

Vulnerabilities, if left untreated, may result in a brutal cyber attack. And you do not want that for our websites. So, the best bet you can have in these highly unpredictable times is to update the plugin. Further,

Update to Latest Versions

FV Flowplayer Video Player has pushed out the patched versions as its latest version 7.3.15.727. Updating your plugin to this version will highly mitigate the risk.

Astra WordPress Security Suite

Astra website Security tailored for WordPress offers Web Application Firewall which guards your website against XSS, SQLi, CSV, bad bots, and 100+ other exploits. In addition to the firewall, Astra’s malware scanner is known to scan a website in less than 10 minutes and takes under 3 minutes for the subsequent scans.

Get an Astra demo now, or chat with us and we will be happy to help you.

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Aakanchha Keshri

A tech enthusiast. She loves to learn and write about CMS security. And a Potterhead.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close