CVE-2024-5522

Name of the Vulnerable Software and Affected Versions HTML5 Video Player WordPress plugin versions prior to 2.5.27

Description The issue concerns a failure to sanitize and escape a parameter from a REST route before using it in a SQL statement. This allows unauthenticated users to perform SQL injection attacks. The vulnerable API endpoint is "/wp-json/h5vp/v1/video/0" with the id parameter being used in the SQL statement. An example of exploitation is provided using the GET method with a crafted id parameter.

Recommendations For versions prior to 2.5.27, update to version 2.5.27 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoint "/wp-json/h5vp/v1/video/0" until the update is applied. Avoid using the id parameter in the affected API endpoint until the issue is resolved.