WordPress FV Flowplayer Video Player plugin <= 7.5.18.727 - Authenticated Persistent Cross-Site Scripting (XSS) vulnerability

Vulnerability

The FV Flowplayer Video Player WordPress plugin (versions <= 7.5.18.727) contains an authenticated persistent Cross-Site Scripting (XSS) vulnerability in the fv_wp_flowplayer_field_splash parameter. This parameter is used for setting a splash image URL. The plugin fails to properly sanitize or escape the input before storing it, allowing a user with sufficient privileges (e.g., Author or higher) to inject arbitrary JavaScript code. [1][2]

Exploitation

An attacker must have an authenticated account with at least Author-level privileges on the WordPress site. The attacker can craft a malicious payload in the fv_wp_flowplayer_field_splash field when editing a video player instance. The payload is stored in the database and executed when any user (including administrators and visitors) views the page containing the affected video player. No additional user interaction is required for the stored script to execute. [2]

Impact

Successful exploitation allows the attacker to inject arbitrary JavaScript into the context of the victim's browser. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information such as cookies and authentication tokens. The attack is persistent, meaning the malicious script remains active until the input is removed or sanitized. [2]

Mitigation

The vulnerability is fixed in version 7.5.19.727. Users should update to this version or later immediately. Patchstack users can enable auto-updates for vulnerable plugins. No workaround is provided for older versions. [2]