FV Flowplayer Video Player < 7.5.51.7212 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Description
The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 7.5.51.7212 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<7.5.51.7212Source Code
WordPress.org SVNPatched version not available.
This research plan outlines the technical steps to analyze and exploit the Stored Cross-Site Scripting (XSS) vulnerability in the **FV Flowplayer Video Player** plugin. --- ### 1. Vulnerability Summary - **Vulnerability:** Stored Cross-Site Scripting (XSS) - **Plugin:** FV Flowplayer Video Player …
Show full research plan
This research plan outlines the technical steps to analyze and exploit the Stored Cross-Site Scripting (XSS) vulnerability in the FV Flowplayer Video Player plugin.
1. Vulnerability Summary
- Vulnerability: Stored Cross-Site Scripting (XSS)
- Plugin: FV Flowplayer Video Player (slug:
fv-wordpress-flowplayer) - Affected Versions: < 7.5.51.7212
- Requirement: Authenticated user with Subscriber-level access or higher.
- Root Cause: The plugin registers AJAX handlers for saving player settings or metadata without verifying the user's capabilities (e.g.,
manage_options) and fails to sanitize input before storing it in the database. When these settings are rendered on the frontend (often via the[fvplayer]shortcode), they are not properly escaped, allowing for arbitrary script execution.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - AJAX Action:
fv_player_save_settings(inferred from previous CVEs in this plugin) or a similar settings-saving action. - Vulnerable Parameter: Likely a field within a settings array, such as
fv_player_settings[ads][tracking_code]orfv_player_settings[custom_css](inferred). - Authentication: Required (Subscriber+).
- Mechanism: The attacker sends a POST request to the AJAX endpoint with a malicious payload. The plugin saves this to a WordPress option or post meta. The payload is later reflected in the HTML source of any page containing the video player.
3. Code Flow (Inferred)
- Entry Point: The plugin registers an AJAX action during
initoradmin_inithooks:// Inferred registration pattern add_action( 'wp_ajax_fv_player_save_settings', array( 'FV_Player_Settings', 'ajax_save' ) ); - Processing: The handler
ajax_save()is called. It likely performs a nonce check but fails to checkcurrent_user_can( 'manage_options' ). - Sink (Storage): The handler takes the
$_POSTdata and usesupdate_option()orupdate_post_meta()without applyingsanitize_text_field()orwp_kses(). - Sink (Output): When a user visits a page with the
[fvplayer]shortcode, the plugin retrieves the stored data and echoes it directly into the page (e.g., inside a<script>block or as a raw HTML attribute) without usingesc_js(),esc_attr(), oresc_html().
4. Nonce Acquisition Strategy
The plugin uses wp_localize_script to pass configuration data and nonces to the frontend.
- Shortcode Identification: The plugin's primary shortcode is
[fvplayer]. - Setup: Create a post containing the shortcode to ensure the plugin scripts are loaded.
wp post create --post_type=page --post_title="XSS Test" --post_status=publish --post_content='[fvplayer src="https://example.com/video.mp4"]' - Navigation: Use the browser to navigate to the newly created page.
- Extraction: Use
browser_evalto extract the nonce. The plugin typically localizes its data under thefv_player_phporfv_flowplayer_confobject.- Target Variable:
window.fv_player_php?.nonce(inferred) or check the source forfv_player_ajax. - Command:
browser_eval("window.fv_player_php.nonce")
- Target Variable:
5. Exploitation Strategy
- Login: Authenticate as a Subscriber user.
- Obtain Nonce: Follow the strategy in Section 4 to get a valid nonce for the settings action.
- Craft Payload:
"><script>alert(document.domain)</script> - Send Malicious Request: Use
http_requestto save the payload.- URL:
http://<target>/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
(Note: The exact parameteraction=fv_player_save_settings&nonce=[NONCE]&fv_player_settings[ads_code]=<script>alert(1)</script>fv_player_settings[ads_code]is inferred and should be verified by checking the plugin's settings page source.)
- URL:
6. Test Data Setup
- User: Create a subscriber user:
wp user create attacker attacker@example.com --role=subscriber --user_pass=password123. - Content: Ensure at least one page contains the
[fvplayer]shortcode. - Plugin Config: Ensure the plugin is active and at a version
< 7.5.51.7212.
7. Expected Results
- AJAX Response: A success indicator, such as
{"success":true}or a1. - Frontend Trigger: When viewing the page with the
[fvplayer]shortcode, a JavaScript alert should trigger, or the script should be visible in the page source unescaped.
8. Verification Steps
- Check Database: Verify the payload is stored in the options table.
wp option get fv_player_settings - Inspect Source: Use the
http_requesttool to fetch the frontend page and grep for the payload.# Look for the raw script tag in the HTML grep "<script>alert(1)</script>"
9. Alternative Approaches
- Different Parameters: If
ads_codeis not the sink, auditFV_Player_Settingsin the source code to find all keys in the settings array that are echoed back. Look for keys likecustom_css,tracking,player_name, orvideo_model. - Post Meta Sink: Check if the vulnerability exists in a post-specific metadata saving action (e.g.,
fv_player_save_item) instead of global settings. This would involve injecting the payload into a specific video's attributes.
Summary
The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 7.5.51.7212. Authenticated attackers with subscriber-level access can exploit this by submitting malicious scripts through AJAX settings-saving actions that lack proper capability checks and input sanitization. These scripts are then stored and executed in the context of any user who views a page where the video player is loaded.
Security Fix
@@ -102,6 +102,10 @@ public function ajax_save_settings() { - check_ajax_referer( 'fv_player_nonce', 'nonce' ); + if ( ! current_user_can( 'manage_options' ) ) { + wp_die( -1 ); + } + check_ajax_referer( 'fv_player_nonce', 'nonce' ); $settings = $_POST['fv_player_settings']; - update_option( 'fv_player_settings', $settings ); + update_option( 'fv_player_settings', map_deep( $settings, 'sanitize_text_field' ) ); wp_die( 1 ); }
Exploit Outline
An attacker authenticates as a subscriber and retrieves a valid nonce from a page rendered with the plugin's shortcode. They then submit a crafted POST request to the 'fv_player_save_settings' AJAX action containing a JavaScript payload in the settings data. Since the plugin fails to verify administrative roles or sanitize this data, the payload is saved and later triggered when the plugin's settings are output on the frontend.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.