CVE-2024-5522
published 2024-06-20CVE-2024-5522: The HTML5 Video Player WordPress plugin before 2.5.27 does not sanitize and escape a parameter from a REST route before using it in a SQL statement, allowing…
PriorityP349medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
EXPLOIT
EPSS
2.64%
83.7th percentile
The HTML5 Video Player WordPress plugin before 2.5.27 does not sanitize and escape a parameter from a REST route before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bplugins | html5_video_player | < 2.5.27 | 2.5.27 |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-json/h5vp/v1/video/0?id='+union all select concat(0x64617461626173653a,1,0x7c76657273696f6e3a,2,0x7c757365723a,md5({{num}})),2,3,4,5,6,7,8-- -↗
- →Exploit targets the unauthenticated REST API endpoint GET /wp-json/h5vp/v1/video/0 with a SQL injection payload in the 'id' parameter using UNION-based injection with hex-encoded strings. ↗
- →A successful exploitation returns HTTP 200 with the MD5 hash of the injected numeric value in the response body, confirming blind/union SQL injection execution. ↗
- →The SQL injection payload uses 8-column UNION SELECT, indicating the underlying query returns 8 columns. Detection rules should look for 'union all select' with 8 comma-separated values in the 'id' query parameter of the h5vp REST route. ↗
- →Presence of the HTML5 Video Player plugin can be fingerprinted via PublicWWW or passive recon by searching for the path /wp-content/plugins/html5-video-player on a target WordPress site. ↗
- ·The vulnerability affects only HTML5 Video Player plugin versions strictly before 2.5.27; version 2.5.27 and later are patched. ↗
- ·The injection is unauthenticated — no WordPress credentials or nonce are required to trigger the vulnerable REST endpoint, making it exploitable by any external attacker. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WordPress HTML5 Video Player < 2.5.27 - SQL Injection
nuclei·CVSS 6.5
CVE-2024-5522 [MEDIUM] WordPress HTML5 Video Player < 2.5.27 - SQL Injection
WordPress HTML5 Video Player < 2.5.27 - SQL Injection
The HTML5 Video Player WordPress plugin before 2.5.27 does not sanitize and escape a parameter from a REST route before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks
Template:
id: CVE-2024-5522
info:
name: WordPress HTML5 Video Player < 2.5.27 - SQL Injection
author: JohnDoeAnonITA
severity: critical
description: |
The HTML5 Video Player WordPress plugin before 2.5.27 does not sanitize and escape a parameter from a REST route before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks
impact: |
Unauthenticated attackers can execute arbitrary SQL queries to extract sensitive database information including user credentials, configuration data, and p
2024-06-20
Published