Plugin Exploit

FV Flowplayer Video Player vulnerable to XSS, SQL injection, CSV Export

Updated on: March 29, 2020

FV Flowplayer Video Player vulnerable to XSS, SQL injection, CSV Export

Another plugin has entered the ever-growing list of vulnerable WordPress plugins. The WordPress free plugin FV Flowplayer Video Player which is being used for embedding FLV or MP4 videos into posts or pages is found to be vulnerable to XSS, SQL injection & CSV Export. Installed on 40,000+ websites at present, it has been updated only 4 days ago after the vulnerabilities were reported. Versions prior to 7.3.14.727 are vulnerable to the mentioned attacks.

FV Flowplayer Video Player SQLi Vulnerability

This rather critical SQLi vulnerability in FV Flowplayer lets an unauthenticated attacker inject malicious JavaScript code.

The vulnerable function here is the`wp_ajax_nopriv_fv_wp_flowplayer_email_signup` ajax hook. The ‘email‘ in the above script accepts any input in the email field and the data gets transmitted to the sensitive email database.

In the case of SQLi vulnerability in WordPress, the following signs could help you if your website is being compromised or not. Here is the list:

FV Flowplayer Video Player XSS Vulnerability

The above malicious codes, in turn, gets executed in admin’s web browser.

As discussed earlier the malicious input gets to the email export screen without being sanitized. The consequences of this could be devastating as this might result in persistent cross-site scripting attacks.

It saves anything that the user provides in `email` POST parameter.

The XSS vulnerability is quite a severe one as it could lead to rather serious damage to your WordPress website if exploited. Listed below are only a few probable exploits that could bud from XSS vulnerability. Or you could also treat this as a symptom of being compromised:

FV Flowplayer Video Player CSV Export Vulnerability

Another vulnerability that has been uncovered in FV player is the CSV Export Vulnerability. This vulnerability lets any guest user download the subscriber’s list, which in fact is quite a breach of privacy. And particularly dangerous too, this data could be used in various maleficient ways to exploit your WordPress website.

Solutions for Safety

Vulnerabilities, if left untreated, may result in a brutal cyber attack. And you do not want that for our websites. So, the best bet you can have in these highly unpredictable times is to update the plugin. Further,

Update to Latest Versions

FV Flowplayer Video Player has pushed out the patched versions as its latest version 7.3.15.727. Updating your plugin to this version will highly mitigate the risk.

Astra WordPress Security Suite

Astra website Security tailored for WordPress offers Web Application Firewall which guards your website against XSS, SQLi, CSV, bad bots, and 100+ other exploits. In addition to the firewall, Astra’s malware scanner is known to scan a website in less than 10 minutes and takes under 3 minutes for the subsequent scans.

Get an Astra demo now, or chat with us and we will be happy to help you.

Was this post helpful?

Aakanchha Keshri

Aakanchha is a technical writer and a cybersecurity enthusiast. She is an avid reader, researcher, and an active contributor to our blog and the cybersecurity genre in general. To date, she has written over 200 blogs for more than 60 domains on topics ranging from technical to promotional. When she is not writing or researching she revels in a game or two of CS: GO.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany