Another plugin has entered the ever-growing list of vulnerable WordPress plugins. The WordPress free plugin FV Flowplayer Video Player which is being used for embedding FLV or MP4 videos into posts or pages is found to be vulnerable to XSS, SQL injection & CSV Export. Installed on 40,000+ websites at present, it has been updated only 4 days ago after the vulnerabilities were reported. Versions prior to 7.3.14.727 are vulnerable to the mentioned attacks.
FV Flowplayer Video Player SQLi Vulnerability
This rather critical SQLi vulnerability in FV Flowplayer lets an unauthenticated attacker inject malicious JavaScript code.
The vulnerable function here is the`wp_ajax_nopriv_fv_wp_flowplayer_email_signup` ajax hook. The ‘email‘ in the above script accepts any input in the email field and the data gets transmitted to the sensitive email database.
In the case of SQLi vulnerability in WordPress, the following signs could help you if your website is being compromised or not. Here is the list:
- New admin users added
- Admin user password is not working
- Hacker has emailed with a screenshot of the database
- Authorize.net tokens leaked
- Website defaced
FV Flowplayer Video Player XSS Vulnerability
The above malicious codes, in turn, gets executed in admin’s web browser.
As discussed earlier the malicious input gets to the email export screen without being sanitized. The consequences of this could be devastating as this might result in persistent cross-site scripting attacks.
It saves anything that the user provides in `email` POST parameter.
The XSS vulnerability is quite a severe one as it could lead to rather serious damage to your WordPress website if exploited. Listed below are only a few probable exploits that could bud from XSS vulnerability. Or you could also treat this as a symptom of being compromised:
- Redirecting to another site
- Malicious pop-ups
- WooCommerce credit card hack
- Malicious google ads on the website
- Username/Password of the website is compromised
FV Flowplayer Video Player CSV Export Vulnerability
Another vulnerability that has been uncovered in FV player is the CSV Export Vulnerability. This vulnerability lets any guest user download the subscriber’s list, which in fact is quite a breach of privacy. And particularly dangerous too, this data could be used in various maleficient ways to exploit your WordPress website.
Solutions for Safety
Vulnerabilities, if left untreated, may result in a brutal cyber attack. And you do not want that for our websites. So, the best bet you can have in these highly unpredictable times is to update the plugin. Further,
Update to Latest Versions
FV Flowplayer Video Player has pushed out the patched versions as its latest version 7.3.15.727. Updating your plugin to this version will highly mitigate the risk.
Astra WordPress Security Suite
Astra website Security tailored for WordPress offers Web Application Firewall which guards your website against XSS, SQLi, CSV, bad bots, and 100+ other exploits. In addition to the firewall, Astra’s malware scanner is known to scan a website in less than 10 minutes and takes under 3 minutes for the subsequent scans.
Get an Astra demo now, or chat with us and we will be happy to help you.