cbcvebase.
CVE-2024-1061
published 2024-01-30

CVE-2024-1061: The 'HTML5 Video Player' WordPress Plugin, version < 2.5.25 is affected by an unauthenticated SQL injection vulnerability in the 'id' parameter in the…

PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
11.13%
95.4th percentile
The 'HTML5 Video Player' WordPress Plugin, version < 2.5.25 is affected by an unauthenticated SQL injection vulnerability in the 'id' parameter in the 'get_view' function.

Affected

1 ranges
VendorProductVersion rangeFixed in
bpluginshtml5_video_player< 2.5.252.5.25

Detection & IOCsextracted from sources · hover to see the quote

url/?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+-
commandid=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+-
  • Detect time-based blind SQLi via the 'id' parameter in the REST route /h5vp/v1/view/; look for response duration >= 6 seconds when SLEEP(6) payload is injected.
  • Confirm exploitation by checking that the response Content-Type header contains 'application/json'.
  • Confirm exploitation by checking that the response body contains both 'created_at' and 'video_id' fields.
  • The vulnerable REST API endpoint is /h5vp/v1/view/ accessed via the 'rest_route' query parameter; the injection point is the 'id' parameter in the 'get_view' function of the HTML5 Video Player plugin.
  • Use FOFA query to identify exposed WordPress instances running the html5-video-player plugin as potential targets.
  • ·The vulnerability affects HTML5 Video Player plugin versions strictly below 2.5.25; version 2.5.25 and above are considered patched.
  • ·The exploit is unauthenticated — no credentials or prior access are required to trigger the SQL injection via the REST API.
  • ·The Nuclei template uses a 20-second HTTP timeout to accommodate the SLEEP(6) time-based payload; detection logic requires duration >= 6 seconds AND JSON content-type AND body fields 'created_at'/'video_id' all simultaneously.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.6HIGH
vendor_redhat4.7MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.