CVE-2023-4520

Summary

CVE-2023-4520 is a stored cross-site scripting (XSS) vulnerability affecting the FV Flowplayer Video Player plugin for WordPress. The issue arises due to insufficient input sanitization and output escaping in the 'save' function, which is hooked via init. Unauthenticated attackers can exploit this flaw by injecting malicious web scripts into the '_fv_player_user_video' parameter, resulting in the scripts being executed whenever an injected page is accessed. Additionally, the vulnerability permits arbitrary usermeta updates via the same 'save' function in plugin versions up to 7.5.37.7212. This weakness allows attackers to manipulate user metas by inputting strings, which can lead to potential security risks.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.