CVE-2021-39350

The FV Flowplayer Video Player WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the playerid parameter found in the /view/stats.php file which allows attackers to inject arbitrary web scripts, in versions 7.5.0.727 - 7.5.2.727...

CVE-2021-39350 FV Flowplayer Video Player <= 7.5.0.727 - 7.5.2.727 Reflected Cross-Site Scripting

The FV Flowplayer Video Player WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the playerid parameter found in the /view/stats.php file which allows attackers to inject arbitrary web scripts, in versions 7.5.0.727 - 7.5.2.727...

CVE-2021-39350

FV Flowplayer Video Player WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the player_id parameter in ~/view/stats.php (versions 7.5.0.727–7.5.2.727). An attacker can inject arbitrary scripts. Remediation: update to version 7.5.3.727 or later.

FV Flowplayer Video Player < 7.5.3.727 - Reflected Cross-Site Scripting

The plugin does not escape or validate the playerid parameter before outputting back in the Stats page in the admin dashboard, leading to a Reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator...