WordPress FV Flowplayer Video Player plugin <= 7.5.15.727 - SQL Injection (SQLi) vulnerability

Vulnerability

An authenticated SQL injection vulnerability exists in the FV Flowplayer Video Player WordPress plugin (versions ≤ 7.5.15.727). The flaw is present in the plugin's code and can be triggered by users with at least the Author role. The exact input vector is not publicly detailed, but the vulnerability is classified as a SQLi, indicating that unsanitized user-supplied data is used in database queries [1].

Exploitation

To exploit this vulnerability, an attacker must have a WordPress account with Author privileges or higher. No additional network position or user interaction beyond authentication is required. The attacker can craft a malicious input (e.g., via a plugin parameter or form field) that is not properly sanitized, leading to SQL injection. The specific steps are not disclosed, but the attack is straightforward for an authenticated user with the necessary role [1].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL queries against the WordPress database. This can result in data exfiltration (e.g., reading sensitive user data, posts, or options), data modification, or privilege escalation. The attacker gains the ability to manipulate the database at the level of the database user used by WordPress, potentially compromising the entire site [1].

Mitigation

The vulnerability is fixed in versions later than 7.5.15.727. The latest version available is 7.5.50.7212, which should be installed immediately [1]. No workarounds are documented. Users running an affected version should update the plugin via the WordPress dashboard or by downloading the latest release from the plugin repository.