WP-Safety

HTML5 Video Player – Embed and Play Videos in Custom Player Security & Risk Analysis

wordpress.org/plugins/html5-video-player

HTML5 Video Player Plugin lets you embed responsive videos in WordPress. It’s easy to use, fast, and supports MP4, WebM, OGG, FLV, Youtube and Vimeo.

20K active installs v2.9.1 PHP 7.1+ WP 5.8+ Updated Mar 5, 2026
html5-video-playermp4-playerplyrvideovideo-player
94
A · Safe
CVEs total8
Unpatched0
Last CVEJan 13, 2025
Plugin page Download
Safety Verdict

Is HTML5 Video Player – Embed and Play Videos in Custom Player Safe to Use in 2026?

Generally Safe

Score 94/100

HTML5 Video Player – Embed and Play Videos in Custom Player has a strong security track record. Known vulnerabilities have been patched promptly.

8 known CVEsLast CVE: Jan 13, 2025Updated 29d ago
Risk Assessment

The "html5-video-player" plugin v2.9.1 presents a mixed security posture. On the positive side, the code demonstrates strong adherence to secure coding practices, with an overwhelming majority of SQL queries utilizing prepared statements and output being properly escaped. The plugin also implements a good number of nonce and capability checks, indicating an awareness of common WordPress security vulnerabilities. Furthermore, the absence of critical or high severity taint flows in the static analysis is a positive sign.

However, significant concerns arise from the plugin's historical vulnerability record and certain aspects of its attack surface. The presence of 8 known CVEs, including one critical and seven medium severity issues, is a major red flag. This history suggests a recurring pattern of security weaknesses that have previously led to serious vulnerabilities like missing authorization, information exposure, SQL injection, and cross-site scripting. The most recent vulnerability being in early 2025, despite the current version being 2.9.1, suggests these past issues might not be fully mitigated in this specific version or were discovered very recently. The static analysis also reveals 2 AJAX handlers that lack authentication checks, creating potential entry points for unauthorized actions, even if the taint analysis didn't find immediate critical flows originating from them.

Key Concerns

  • History of 1 critical CVE
  • History of 7 medium CVEs
  • 2 AJAX handlers without auth checks
  • History of SQL Injection vulns
  • History of XSS vulns
  • History of Missing Authorization vulns
  • History of Sensitive Info Exposure vulns
  • Bundled Freemius v1.0 library
Vulnerabilities
8

HTML5 Video Player – Embed and Play Videos in Custom Player Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
6 CVEs in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
7

8 total CVEs

CVE-2024-13156medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

HTML5 Video Player – mp4 Video Player Plugin and Block <= 2.5.35 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via heading Parameter

Jan 13, 2025 Patched in 2.5.36 (1d)
CVE-2024-7721medium · 4.3Missing Authorization

HTML5 Video Player – mp4 Video Player Plugin and Block <= 2.5.34 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update

Sep 10, 2024 Patched in 2.5.35 (1d)
CVE-2024-7727medium · 5.3Missing Authorization

HTML5 Video Player – mp4 Video Player Plugin and Block <= 2.5.32 - Missing Authorization in multiple functions via h5vp_ajax_handler

Sep 10, 2024 Patched in 2.5.33 (1d)
CVE-2024-43319medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

Flash & HTML5 Video <= 2.5.31 - Authenticated (Subscriber+) Information Exposure

Aug 16, 2024 Patched in 2.5.32 (7d)
CVE-2024-43296medium · 6.4Missing Authorization

Flash & HTML5 Video <= 2.5.30 - Missing Authorization

Aug 16, 2024 Patched in 2.5.31 (7d)
CVE-2024-5522critical · 10Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

HTML5 Video Player <= 2.5.26 - Unauthenticated SQL Injection

May 30, 2024 Patched in 2.5.27 (1d)
CVE-2024-1061medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

HTML5 Video Player <= 2.5.24 - Unauthenticated SQL Injection via id

Jan 31, 2024 Patched in 2.5.25 (121d)
CVE-2023-6485medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Html5 Video Player <= 2.5.18 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Dec 8, 2023 Patched in 2.5.19 (175d)
Code Analysis
Analyzed Mar 16, 2026

HTML5 Video Player – Embed and Play Videos in Custom Player Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
45 prepared
Unescaped Output
3
158 escaped
Nonce Checks
9
Capability Checks
8
File Operations
2
External Requests
0
Bundled Libraries
2

Bundled Libraries

TinyMCEFreemius1.0

SQL Query Safety

98% prepared46 total queries

Output Escaping

98% escaped161 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

4 flows3 with unsanitized paths
analytics_callback (inc\Base\Analytics.php:28)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

HTML5 Video Player – Embed and Play Videos in Custom Player Attack Surface

Entry Points19
Unprotected2

AJAX Handlers 14

authwp_ajax_watermark_datablocks.php:16
noprivwp_ajax_watermark_datablocks.php:17
noprivwp_ajax_pipe_handlerhtml5-video-player.php:92
authwp_ajax_pipe_handlerhtml5-video-player.php:93
authwp_ajax_h5vp_aws_pickerinc\Base\AWS.php:13
authwp_ajax_h5vp_dulicate_playerinc\Base\duplicate-player.php:73
authwp_ajax_h5vp_dismiss_aws_noticeinc\Base\Notice.php:13
authwp_ajax_h5vp_ajax_handlerinc\Model\Ajax.php:24
noprivwp_ajax_h5vp_ajax_handlerinc\Model\Ajax.php:25
authwp_ajax_h5vp_aws_pickerinc\Model\Ajax.php:28
authwp_ajax_h5vp_export_datainc\Model\Ajax.php:31
authwp_ajax_h5vp_save_preferred_editorinc\Model\Ajax.php:34
authwp_ajax_h5vp_get_editable_rolesinc\Model\Ajax.php:37
authwp_ajax_h5vp_pro_grab_slider_list_ajaxtinymce\h5vp-tinymce.php:39

REST API Routes 1

POST/wp-json/h5vp/v1/analyticsinc\Rest\Analytics.php:16

Shortcodes 4

[video] inc\Services\Shortcodes.php:17
[video_player] inc\Services\Shortcodes.php:19
[html5_video] inc\Services\Shortcodes.php:20
[video_playlist] inc\Services\ShortcodesPro.php:17
WordPress Hooks 49
actionwp_footeradmin\player-control-script.php:6
actioninitblocks.php:14
actionenqueue_block_assetsblocks.php:15
actionelementor/frontend/after_register_scriptselementor-widget.php:80
actionelementor/widgets/registerelementor-widget.php:83
actionelementor/controls/controls_registeredelementor-widget.php:85
actionplugins_loadedhtml5-video-player.php:71
actionwp_footerhtml5-video-player.php:108
actionadmin_enqueue_scriptsinc\admin.php:10
actionadmin_menuinc\admin.php:11
actionadmin_menuinc\Base\Analytics.php:19
actionpost_row_actionsinc\Base\duplicate-player.php:20
actionadmin_noticesinc\Base\duplicate-player.php:94
filterupload_mimesinc\Base\ExtendMime.php:12
filterwp_check_filetype_and_extinc\Base\ExtendMime.php:15
filterwp_check_filetype_and_extinc\Base\ExtendMime.php:17
filterpost_row_actionsinc\Base\GlobalChanges.php:13
actionadmin_head-post.phpinc\Base\GlobalChanges.php:14
actionadmin_head-post-new.phpinc\Base\GlobalChanges.php:15
filtergettextinc\Base\GlobalChanges.php:16
filterpost_updated_messagesinc\Base\GlobalChanges.php:17
actionadmin_initinc\Base\GlobalChanges.php:19
filterblock_categoriesinc\Base\GlobalChanges.php:22
filterblock_categories_allinc\Base\GlobalChanges.php:24
actionmedia_buttonsinc\Base\GlobalChanges.php:27
filteradmin_footer_textinc\Base\GlobalChanges.php:33
actionadmin_menuinc\Base\Menu.php:12
actionadmin_enqueue_scriptsinc\Base\Menu.php:13
actionadmin_headinc\Base\Menu.php:14
actionadmin_noticesinc\Base\Notice.php:15
actionadmin_noticesinc\Base\Notice.php:31
actioninitinc\Field\QuickPlayer.php:12
actioninitinc\Field\Settings.php:12
actioninitinc\Field\VideoPlayer.php:13
actioninitinc\PostType\VideoPlayer.php:22
actionedit_form_after_titleinc\PostType\VideoPlayer.php:25
filterpre_get_postsinc\PostType\VideoPlayer.php:37
actionuse_block_editor_for_postinc\PostType\VideoPlayer.php:38
filterfilter_block_editor_meta_boxesinc\PostType\VideoPlayer.php:39
filtersave_postinc\PostType\VideoPlayer.php:43
actionrest_api_initinc\Rest\Analytics.php:12
actionrest_api_initinc\Rest\VideoController.php:19
actionwp_enqueue_scriptsinc\Services\EnqueueAssets.php:16
actionadmin_enqueue_scriptsinc\Services\EnqueueAssets.php:17
actionwp_headinc\Services\EnqueueAssets.php:18
actionadmin_inittinymce\h5vp-tinymce.php:48
actionadmin_headtinymce\h5vp-tinymce.php:56
actionmedia_buttonstinymce\h5vp-tinymce.php:71
actionadmin_footertinymce\h5vp-tinymce.php:86
Maintenance & Trust

HTML5 Video Player – Embed and Play Videos in Custom Player Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 5, 2026
PHP min version7.1
Downloads828K

Community Trust

Rating92/100
Number of ratings192
Active installs20K
Alternatives

HTML5 Video Player – Embed and Play Videos in Custom Player Alternatives

Super Video player – Fully Customizable Video Player with Playlist

Super Video player – Fully Customizable Video Player with Playlist

super-video-player

A
100

Improve WordPress user experience with Super Video Player plugin. Self-hosted, supports mp4/OGG, captions, and subtitle for engagement.

2K No CVEs
YT Player – Embed and Customize Video Players

YT Player – Embed and Customize Video Players

yt-player

A
100

A modern, accessible, fully customizable & user-friendly YouTube Video Player for WordPress.

1K 1 CVE
Fluid Player

Fluid Player

fluid-player

A
85

The plugin makes it easy to embed the VAST ready Fluid Player video player.

400 No CVEs
WP Smart TV

WP Smart TV

wp-smart-tv

A
99

The ultimate toolkit for video streaming services using WordPress. Turn your site into an video service similar to YouTube or Vimeo.

300 1 CVE
HTML5 Video Player with Playlist

HTML5 Video Player with Playlist

html5-video-player-with-playlist

D
42

Allows Wordpress users to easily use HTML5 < video > the element enable native video playback within the browser. It supports Android, iOS/iPad/ &hellip;

50 2 unpatched
Developer Profile

HTML5 Video Player – Embed and Play Videos in Custom Player Developer Profile

colorlibplugins

120 plugins · 738K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
140 days
View full developer profile
Detection Fingerprints

How We Detect HTML5 Video Player – Embed and Play Videos in Custom Player

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/html5-video-player/build/frontend.css/wp-content/plugins/html5-video-player/build/frontend.js/wp-content/plugins/html5-video-player/public/css/h5vp.css/wp-content/plugins/html5-video-player/public/js/plyr-v3.8.3.polyfilled.js
Script Paths
/wp-content/plugins/html5-video-player/build/frontend.js/wp-content/plugins/html5-video-player/public/js/plyr-v3.8.3.polyfilled.js
Version Parameters
/wp-content/plugins/html5-video-player/build/frontend.css?ver=/wp-content/plugins/html5-video-player/build/frontend.js?ver=/wp-content/plugins/html5-video-player/public/css/h5vp.css?ver=/wp-content/plugins/html5-video-player/public/js/plyr-v3.8.3.polyfilled.js?ver=

HTML / DOM Fingerprints

CSS Classes
plyr
JS Globals
H5VPh5vp_fs
REST Endpoints
/wp-json/h5vp/
FAQ

Frequently Asked Questions about HTML5 Video Player – Embed and Play Videos in Custom Player