CVE-2024-7727
published 2024-09-11CVE-2024-7727: The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check…
PriorityP429medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.39%
31.0th percentile
The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions called via the 'h5vp_ajax_handler' ajax action in all versions up to, and including, 2.5.32. This makes it possible for unauthenticated attackers to call these functions to manipulate data.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bplugins | html5_video_player | < 2.5.33 | 2.5.33 |
| bplugins | html5_video_player_embed_and_play_videos_in_custom_player | <= 2.5.32 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/html5-video-player/trunk/inc/Model/Ajax.php#L5https://plugins.trac.wordpress.org/browser/html5-video-player/trunk/inc/Model/ImportData.php#L4https://plugins.trac.wordpress.org/changeset/3139559/https://www.wordfence.com/threat-intel/vulnerabilities/id/908df18e-7178-4d40-becb-86e1a714a7da?source=cve
2024-09-11
Published