CVE-2024-35631

Vulnerability

The FV Flowplayer Video Player plugin for WordPress (versions through 7.5.45.7212) contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. The flaw exists in the plugin's handling of certain parameters, allowing an attacker to inject malicious JavaScript into a response. The plugin is widely used for embedding HTML5 videos with Flash fallback [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing a specially crafted query string or form input that triggers the XSS. No authentication is required; the attacker only needs to trick a logged-in WordPress user (e.g., an administrator) into clicking the crafted link. The injected script executes in the context of the victim's browser session on the affected WordPress site [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, defacement of the site, redirection to malicious sites, or theft of sensitive information such as cookies and authentication tokens. The impact is limited to the victim's browser session but can be leveraged for further attacks if the victim has elevated privileges [1].

Mitigation

The vendor has addressed this vulnerability in version 7.5.50.7212 of the FV Flowplayer Video Player plugin. Users are strongly advised to update to this version or later immediately. If updating is not possible, consider applying input validation and output encoding to all user-controlled parameters, or using a web application firewall (WAF) to block malicious requests. No workarounds are provided by the vendor [1].