FV Player <= 7.5.46.7212 - Authenticated (Subscriber+) SQL Injection via exclude Parameter

Vulnerability

A time-based SQL injection vulnerability exists in the FV Flowplayer Video Player plugin for WordPress, affecting all versions up to and including 7.5.46.7212. The flaw resides in the handling of the user-supplied 'exclude' parameter, which is insufficiently escaped and not properly prepared within the existing SQL query. This allows an attacker to append additional SQL queries into already existing database queries [1].

Exploitation

To exploit this vulnerability, an attacker must be authenticated to the WordPress site with at least Subscriber-level access. The attacker can then manipulate the 'exclude' parameter in a related request to inject malicious SQL code. The injection is time-based, meaning the attacker observes response delays to infer information from the database, as no direct error output is provided. No other special network position or user interaction beyond the initial authentication is required [1].

Impact

Successful exploitation allows an authenticated attacker to extract sensitive information from the WordPress database, such as user credentials, session tokens, or other private data stored in database tables. The compromise is limited to information disclosure; it does not directly provide file write or remote code execution capabilities, but the extracted data could be used for further attacks against the site or its users [1].

Mitigation

The vendor released version 7.5.50.7212 as a fix for this vulnerability, as confirmed by the official WordPress plugin repository [1]. All users are strongly advised to update the FV Flowplayer Video Player plugin to version 7.5.50.7212 or later immediately. No workarounds are available for earlier versions. This CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.