CVE-2023-4520

Name of the Vulnerable Software and Affected Versions FV Flowplayer Video Player plugin for WordPress versions up to, and including, 7.5.37.7212

Description The issue affects the FV Flowplayer Video Player plugin for WordPress, allowing Stored Cross-Site Scripting via the fv player user video parameter saved through the save function. This is due to insufficient input sanitization and output escaping. As a result, unauthenticated attackers can inject arbitrary web scripts into pages, which will execute when a user accesses an injected page. Additionally, the plugin is vulnerable to Arbitrary Usermeta Update via the save function, allowing attackers to update user metas arbitrarily, though the meta value can only be a string.

Recommendations For versions up to, and including, 7.5.37.7212, consider disabling the save function until a patch is available to prevent exploitation. Restrict access to the fv player user video parameter to minimize the risk of Stored Cross-Site Scripting. Avoid using the save function for updating user metas until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.