cbcvebase.
CVE-2024-5522
published 2024-06-20

CVE-2024-5522: The HTML5 Video Player WordPress plugin before 2.5.27 does not sanitize and escape a parameter from a REST route before using it in a SQL statement, allowing…

PriorityP349medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
EXPLOIT
EPSS
2.64%
83.7th percentile
The HTML5 Video Player WordPress plugin before 2.5.27 does not sanitize and escape a parameter from a REST route before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks

Affected

1 ranges
VendorProductVersion rangeFixed in
bpluginshtml5_video_player< 2.5.272.5.27

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/h5vp/v1/video/0?id='+union all select concat(0x64617461626173653a,1,0x7c76657273696f6e3a,2,0x7c757365723a,md5({{num}})),2,3,4,5,6,7,8-- -
path/wp-content/plugins/html5-video-player
path/wp-json/h5vp/v1/video/
  • Exploit targets the unauthenticated REST API endpoint GET /wp-json/h5vp/v1/video/0 with a SQL injection payload in the 'id' parameter using UNION-based injection with hex-encoded strings.
  • A successful exploitation returns HTTP 200 with the MD5 hash of the injected numeric value in the response body, confirming blind/union SQL injection execution.
  • The SQL injection payload uses 8-column UNION SELECT, indicating the underlying query returns 8 columns. Detection rules should look for 'union all select' with 8 comma-separated values in the 'id' query parameter of the h5vp REST route.
  • Presence of the HTML5 Video Player plugin can be fingerprinted via PublicWWW or passive recon by searching for the path /wp-content/plugins/html5-video-player on a target WordPress site.
  • ·The vulnerability affects only HTML5 Video Player plugin versions strictly before 2.5.27; version 2.5.27 and later are patched.
  • ·The injection is unauthenticated — no WordPress credentials or nonce are required to trigger the vulnerable REST endpoint, making it exploitable by any external attacker.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.