FV Flowplayer Video Player <= 7.3.18.727 - SQL Injection



Description
Lack of sanitisation in the order and order_by variable in the getListPageData() function could allow SQL Injection attacks

Affects Plugin

fixed in version 7.3.19.727

References

CVE 2019-13573
URL https://www.fortinet.com/blog/threat-research/wordpress-plugin-sql-injection-vulnerability.html
URL https://plugins.trac.wordpress.org/changeset/2121566
URL https://github.com/foliovision/fv-wordpress-flowplayer/commit/02bea654fba7ae870c06e768350367903df9855f
URL https://fortiguard.com/zeroday/FG-VD-19-097

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Original Researcher Tin Duong
Views 3203
Verified No
WPVDB ID 9451

Timeline

Publicly Published 2019-07-11 (4 months ago)
Added 2019-07-12 (4 months ago)
Last Updated 2019-08-29 (3 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin