CVE-2020-35748

Name of the Vulnerable Software and Affected Versions: FV Flowplayer Video Player plugin versions prior to 7.4.37.727

Description: The issue allows remote authenticated users to inject arbitrary web script or HTML via the fv wp fvvideoplayer src JSON field in the data parameter. This is a cross-site scripting (XSS) vulnerability in the models/list-table.php file.

Recommendations: For versions prior to 7.4.37.727, update to version 7.4.37.727 or later to resolve the issue. As a temporary workaround, consider restricting access to the models/list-table.php file or disabling the fv wp fvvideoplayer src JSON field in the data parameter until a patch is applied.