WordPress FV Flowplayer Video Player Plugin <= 7.5.30.7212 is vulnerable to Cross Site Request Forgery (CSRF)

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the FV Flowplayer Video Player plugin for WordPress (fv-wordpress-flowplayer) in versions up to and including 7.5.30.7212. The plugin fails to properly validate or enforce CSRF tokens on certain administrative actions, allowing an attacker to trick a logged-in administrator into executing unintended requests.

Exploitation

An attacker must craft a malicious link or page that, when visited by an authenticated WordPress administrator with the plugin installed, triggers a forged request to the plugin's administrative endpoints. No additional authentication is required beyond the victim's existing session. The attacker does not need direct network access to the target site; the victim's browser performs the request automatically.

Impact

Successful exploitation enables the attacker to perform state-changing operations on the plugin's settings or configuration without the administrator's consent. Depending on the plugin's capabilities, this could include modifying video player options, adding or deleting video sources, or altering other plugin-specific data. The attacker does not gain direct code execution but can manipulate the plugin's behavior.

Mitigation

The vulnerability is fixed in version 7.5.50.7212 of the FV Flowplayer Video Player plugin, as indicated by the plugin's update history [1]. Users should update to this version or later. No workarounds are documented; updating is the recommended action.