CVE-2019-14800

Name of the Vulnerable Software and Affected Versions FV Flowplayer Video Player plugin versions prior to 7.3.15.727

Description The issue allows unauthorized access to the email subscription list in CSV format. This can be achieved by accessing a specific URI, '/wp-admin/admin-post.php?page=fvplayer&fv-email-export=1', which is an API endpoint. The fv-email-export parameter is used to export the email list.

Recommendations For versions prior to 7.3.15.727, update to version 7.3.15.727 or later to resolve the issue. As a temporary workaround, consider restricting access to the /wp-admin/admin-post.php API endpoint to minimize the risk of exploitation. Avoid using the fv-email-export parameter in the affected API endpoint until the issue is resolved.