CVE-2014-5180 in hdw-player-video-player-video-galleryinfo

Summary

by MITRE

SQL injection vulnerability in the videos page in the HDW Player Plugin (hdw-player-video-player-video-gallery) 2.4.2 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the id parameter in the edit action to wp-admin/admin.php.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 06/15/2025

The vulnerability identified as CVE-2014-5180 represents a critical SQL injection flaw within the HDW Player Plugin version 2.4.2 for WordPress systems. This security weakness specifically affects the videos page functionality and stems from inadequate input validation mechanisms within the plugin's administrative interface. The vulnerability manifests when authenticated administrators access the edit action through wp-admin/admin.php, where the id parameter fails to properly sanitize user-supplied data before incorporating it into SQL query constructions. This oversight creates a pathway for malicious actors who have gained administrative privileges to manipulate database operations through crafted input sequences.

The technical exploitation of this vulnerability falls under CWE-89, which classifies SQL injection as a code injection technique that exploits improper handling of user input in database queries. Attackers can leverage this flaw to execute arbitrary SQL commands against the WordPress database, potentially gaining unauthorized access to sensitive information, modifying database records, or even escalating their privileges within the compromised system. The vulnerability's impact is particularly severe because it requires only authenticated administrator access, meaning that an attacker who has already compromised administrative credentials can leverage this weakness to perform extensive database manipulation without additional authentication requirements.

From an operational perspective, this vulnerability poses significant risks to WordPress installations utilizing the affected HDW Player Plugin version 2.4.2. The attack surface is limited to systems where the plugin is installed and where administrative users have access to the wp-admin interface. However, the potential damage can be substantial, including data theft, unauthorized content modification, and possible system compromise that could affect the entire WordPress installation. The vulnerability also demonstrates poor input validation practices that are commonly exploited in similar attack scenarios, making it a typical example of how insufficient data sanitization can create persistent security weaknesses in web applications.

The exploitation of this vulnerability aligns with ATT&CK technique T1071.004, which covers application layer protocol manipulation, specifically targeting web applications through SQL injection vectors. Organizations should implement comprehensive mitigation strategies including immediate plugin updates to versions that address the SQL injection flaw, proper input validation and parameterized queries, and regular security audits of installed WordPress plugins. Additionally, implementing network monitoring and intrusion detection systems can help identify potential exploitation attempts. The vulnerability also underscores the importance of principle of least privilege, where administrative access should be restricted to only necessary personnel and regularly reviewed to minimize the risk of privilege escalation attacks. Organizations should also consider implementing web application firewalls and database activity monitoring to detect and prevent unauthorized SQL command execution attempts.

Reservation

08/06/2014

Disclosure

08/06/2014

Moderation

accepted

Entry

VDB-70547

CPE

ready

Exploit

Download

EPSS

0.02370

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!