CVE-2024-29122

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the FV Flowplayer Video Player plugin for WordPress, affecting versions from n/a through 7.5.41.7212 [1]. Improper neutralization of user-supplied input during web page generation allows attackers to inject arbitrary JavaScript into video player parameters. The vulnerability is reachable when an authenticated user with contributor-level access or higher can add or edit video items in posts or pages [1].

Exploitation

An attacker must have authenticated access to the WordPress admin area with at least contributor privileges. The attacker can craft a malicious video shortcode or custom field value containing embedded JavaScript, which is then stored in the database and executed in the browsers of visitors viewing the affected page. No additional user interaction is required beyond visiting the page [1].

Impact

Successful exploitation leads to stored cross-site scripting, enabling the attacker to execute arbitrary JavaScript in the context of any user's browser who views the compromised page. This can result in session hijacking, cookie theft, defacement, or redirection to malicious sites. The impact is medium (CVSS 6.5) due to the need for authentication and the scope change to other users [1].

Mitigation

The vulnerability has been patched in version 7.5.50.7212. Administrators should update the FV Flowplayer Video Player plugin to version 7.5.50.7212 or later as soon as possible [1]. No workaround is available in the provided references.