CVE-2024-22299

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in the FV Flowplayer Video Player WordPress plugin, versions from n/a through 7.5.41.7212. The issue stems from improper neutralization of user-controlled input during web page generation, enabling an attacker to inject arbitrary JavaScript or HTML into a crafted URL that, when visited by a victim, executes in the context of their browser session [1].

Exploitation

An attacker does not require any special network position beyond being able to craft a malicious URL. No authentication or prior write access is needed. The attacker must trick a logged-in WordPress administrator or user into clicking the crafted link (e.g., via email or social engineering). Upon clicking, the reflected payload is echoed back in the page response without proper sanitization, executing in the victim's browser [1].

Impact

Successful exploitation allows the attacker to execute arbitrary scripts in the victim's browser within the context of the vulnerable WordPress site. This can lead to session cookie theft, defacement, redirection to malicious sites, or other actions the victim user can perform. The impact is limited to the privileges of the victim user (typically administrator) and the browser security context [1].

Mitigation

The vulnerability is patched in version 7.5.50.7212, which was released on May 4, 2026 [1]. Users should update to this version or later immediately. If immediate update is not possible, consider using Web Application Firewall (WAF) rules to filter reflected XSS patterns or restrict access to the plugin's admin pages as a temporary workaround until the update can be applied [1].