Coldfusionx

**Name of the Vulnerable Software and Affected Versions** HTML5 Video Player WordPress plugin versions prior to 2.5.27 **Description** The issue concerns a failure to sanitize and escape a parameter from a REST route before using it in a SQL statement. This allows unauthenticated users to perform SQL injection attacks. The vulnerable API endpoint is "/wp-json/h5vp/v1/video/0" with the `id` parameter being used in the SQL statement. An example of exploitation is provided using the `GET` method with a crafted `id` parameter. **Recommendations** For versions prior to 2.5.27, update to version 2.5.27 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoint "/wp-json/h5vp/v1/video/0" until the update is applied. Avoid using the `id` parameter in the affected API endpoint until the issue is resolved.