Zero-Day Advisory
Fortinet Discovers WordPress FV Flowplayer Video Player SQL Injection Vulnerability
Summary
Fortinet's FortiGuard Labs has discovered a SQL injection vulnerability in FolioVision FV Flowplayer Video Player plugin for WordPress.
FV Player is a free, easy-to-use, and complete solution for embedding FLV or MP4 videos into your posts or pages. With MP4 videos, FV Player offers 98% coverage even on mobile devices.
A SQL injection vulnerability exists in the FV Flowplayer Video Player plugin through 7.3.18.727 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.
Solutions
FortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:WordPress.FolioVision.FlowplayerVideoPlayer.SQL.Injection
User should apply the patch provided by FolioVision
Timeline
Fortinet reported the vulnerability to FolioVision on 11 July, 2019.
FolioVision confirmed the vulnerability on 12 July, 2019.
FolioVision released patch for the vulnerability on 12 July, 2019.
Acknowledgement
This vulnerability was discovered by Tin Duong of Fortinet's FortiGuard Labs.