CVE-2020-35748 in FV Flowplayer Video Player
Summary
by MITRE • 01/16/2021
Cross-site scripting (XSS) vulnerability in models/list-table.php in the FV Flowplayer Video Player plugin before 7.4.37.727 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the fv_wp_fvvideoplayer_src JSON field in the data parameter.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/14/2021
The CVE-2020-35748 vulnerability represents a critical cross-site scripting flaw within the FV Flowplayer Video Player WordPress plugin, specifically affecting versions prior to 7.4.37.727. This vulnerability resides in the models/list-table.php file and demonstrates a classic XSS weakness that can be exploited by authenticated attackers with minimal privileges. The flaw manifests when the plugin processes the fv_wp_fvvideoplayer_src JSON field within the data parameter, creating an avenue for malicious script injection that can persist across user sessions and potentially compromise the entire WordPress installation.
The technical exploitation of this vulnerability occurs through the improper sanitization of user-supplied input within the plugin's administrative interface. When authenticated users with appropriate permissions submit video player configurations containing malicious JavaScript within the fv_wp_fvvideoplayer_src field, the plugin fails to adequately validate or escape this input before rendering it in the HTML output. This allows attackers to inject arbitrary web scripts or HTML content that executes in the context of other users' browsers who view the affected pages. The vulnerability is particularly concerning because it requires only authenticated access, meaning that any user with contributor or administrator privileges can potentially exploit this flaw, making it a significant risk for WordPress sites with multiple user accounts.
From an operational perspective, this XSS vulnerability creates multiple attack vectors that can be leveraged for various malicious activities. Attackers can use this flaw to steal session cookies, redirect users to malicious websites, deface the website content, or even escalate privileges within the WordPress environment. The impact extends beyond simple script injection as it can enable more sophisticated attacks such as credential theft, data exfiltration, or the establishment of persistent backdoors. The vulnerability's presence in the plugin's list table functionality means that any administrator or privileged user viewing the video player management interface becomes a potential victim of this attack, creating a wide attack surface that can affect multiple users simultaneously.
The security implications of CVE-2020-35748 align with CWE-79 which specifically addresses cross-site scripting vulnerabilities in web applications. This classification emphasizes the fundamental weakness in input validation and output encoding practices within the plugin's codebase. Additionally, the vulnerability maps to ATT&CK technique T1566.001 which covers the use of malicious content in web applications, and T1071.001 which involves application layer protocol usage. The attack surface is particularly dangerous because it leverages the trust relationship between WordPress users and the plugin, allowing attackers to execute malicious code within the context of legitimate user sessions. Organizations should prioritize immediate patching of this vulnerability, as the combination of authenticated access requirements and the potential for persistent malicious script execution creates a significant risk for WordPress installations.
Mitigation strategies for this vulnerability require immediate deployment of the patched version 7.4.37.727 or later, which implements proper input sanitization and output escaping mechanisms. Security teams should also implement additional protective measures including regular security audits of WordPress plugins, implementing web application firewalls, and conducting thorough input validation across all user-submitted content. Network monitoring should be enhanced to detect unusual patterns in plugin API calls, and user access controls should be reviewed to minimize the number of users with administrative privileges. The vulnerability highlights the importance of maintaining updated WordPress plugins and implementing comprehensive security frameworks that include regular vulnerability assessments, automated patch management, and continuous monitoring of web application security posture.