CVE-2024-7727

The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions called via the 'h5vp_ajax_handler' ajax action in all versions up to, and including, 2.5.32. This makes it possible for unauthenticated attackers to call these functions to manipulate data.
Configurations

Configuration 1 (hide)

cpe:2.3:a:bplugins:html5_video_player:*:*:*:*:*:wordpress:*:*

History

18 Sep 2024, 18:07

Type Values Removed Values Added
First Time Bplugins html5 Video Player
Bplugins
CPE cpe:2.3:a:bplugins:html5_video_player:*:*:*:*:*:wordpress:*:*
References () https://plugins.trac.wordpress.org/browser/html5-video-player/trunk/inc/Model/Ajax.php#L5 - () https://plugins.trac.wordpress.org/browser/html5-video-player/trunk/inc/Model/Ajax.php#L5 - Issue Tracking
References () https://plugins.trac.wordpress.org/browser/html5-video-player/trunk/inc/Model/ImportData.php#L4 - () https://plugins.trac.wordpress.org/browser/html5-video-player/trunk/inc/Model/ImportData.php#L4 - Issue Tracking
References () https://plugins.trac.wordpress.org/changeset/3139559/ - () https://plugins.trac.wordpress.org/changeset/3139559/ - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/908df18e-7178-4d40-becb-86e1a714a7da?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/908df18e-7178-4d40-becb-86e1a714a7da?source=cve - Third Party Advisory

11 Sep 2024, 16:26

Type Values Removed Values Added
Summary
  • (es) El complemento HTML5 Video Player – mp4 Video Player Plugin and Block para WordPress son vulnerables al acceso no autorizado a los datos debido a una verificación de capacidad faltante en varias funciones llamadas a través de la acción ajax 'h5vp_ajax_handler' en todas las versiones hasta la 2.5.32 incluida. Esto hace posible que atacantes no autenticados llamen a estas funciones para manipular los datos.

11 Sep 2024, 05:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-11 05:15

Updated : 2024-09-18 18:07


NVD link : CVE-2024-7727

Mitre link : CVE-2024-7727

CVE.ORG link : CVE-2024-7727


JSON object : View

Products Affected

bplugins

  • html5_video_player
CWE
CWE-862

Missing Authorization