One of the changelog entries for the latest version of FV Player is “Security – fix for SQL injection vulnerability on the wp-admin FV Player screen for users with access”. Looking at the changes made we found that an authenticated SQL injection vulnerability was fixed though the code hasn’t been properly secured and there still may be related issues.
…
Earlier today we noted a security company putting out inaccurate information on vulnerabilities in a WordPress plugin. That isn’t uncommon, as while looking into who might have discovered a recent vulnerability we found NinTechNet suggesting updating the plugin, FV Player (FV Flowplayer Video Player), to version 7.3.13.727:
WordPress “FV Flowplayer Video Player” plugin (40,000+ active installations) fixed XSS vulnerability. Update to v7.3.13.727. [Read more]
One of the changelog entries for the latest version of FV Player (FV Flowplayer Video Player) is “Security – fix for XSS vulnerability in email subscription”. When we started to look into that what we found is not only that there had been persistent cross-site scripting (XSS) vulnerability fixed in the email subscription functionality, but there is also another another vulnerability in that same functionality, which we will disclose in a follow up post.
…