PT-2021-22556 · WordPress · Fv Flowplayer Video Player

Margaux Dabert

Published

2021-10-06

Updated

2025-02-14

CVE-2021-39350

CVSS v3.1

8.2

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Name of the Vulnerable Software and Affected Versions: FV Flowplayer Video Player WordPress plugin versions 7.5.0.727 through 7.5.2.727

Description: The issue allows attackers to inject arbitrary web scripts via the player id parameter found in the ~/view/stats.php file, enabling Reflected Cross-Site Scripting attacks.

Recommendations: For versions 7.5.0.727 through 7.5.2.727, consider disabling access to the ~/view/stats.php file or restricting the use of the player id parameter until a patch is available.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2021-39350

Affected Products

Fv Flowplayer Video Player

PT-2021-22556 · WordPress · Fv Flowplayer Video Player

CVE-2021-39350

Weakness Enumeration

Related Identifiers

Affected Products

References · 6