May 20, 2019 by Luka Šikić
At the beginning of this week, we have identified persistent cross-site scripting in popular WordPress plugin Flowplayer Video Player.
FV Player is a free plugin for embedding FLV or MP4 videos into your posts or pages with Flash fallback for legacy browsers. In addition to the many other features, this plugin allows you to collect email subscriptions.
The issue with email subscription component is that emails are being saved in the database even if they are detected as malformed.
The vulnerable function is exposed to unauthenticated users over `wp_ajax_nopriv_fv_wp_flowplayer_email_signup` ajax hook. It saves anything that user provides in `email` POST parameter.
Provided email input is then rendered on email export screen without being sanitized. This leaves admin users exposed to the danger of persistent cross-site scripting attacks.
A vulnerability affects plugin FV Flowplayer Video Player version 220.127.116.117 and before.
Plugin developers have been notified about the issue on May 13th, 2019. and took intermediate action and released a fixed version (18.104.22.1687) one day later on May 14th, 2019.
As we can see from the statistics above, half of the users are using version 7.2 and older. This means it may be that about 20 000+ users who have the outdated FV Flowplayer Video Player plugin version are vulnerable to exploits.
Always keep your plugins updated. If possible, enable automatic updates. If you are using the mentioned plugin, you need to update it with the latest version as soon as possible.
Websites with WebARX firewall installed were protected before, and after detecting this security issue. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.