CVE-2024-5522 (CVSS 10): Critical Security Flaw Threatens Thousands of WordPress Sites

CVE-2024-5522

WordPress users who have installed the popular HTML5 Video Player plugin are urged to take immediate action following the discovery of a critical security vulnerability. The flaw, tracked as CVE-2024-5522, allows unauthenticated attackers to inject malicious SQL code into website databases, potentially exposing sensitive information or compromising site integrity.

CVE-2024-5522

With over 30,000 active installations, this vulnerability poses a significant risk to a large number of WordPress websites. The affected plugin, HTML5 Video Player – Best WordPress Video Player Plugin and Block, is a widely used tool that enables users to seamlessly embed responsive HTML5 videos on their sites.

With a CVSS score of 10, CVE-2024-5522 is classified as an SQL Injection (SQLi) vulnerability, a common yet dangerous type of attack that exploits insecure code practices. In this case, the vulnerability stems from insufficient input validation and improper handling of SQL queries, allowing attackers to manipulate the plugin’s database interactions.

Through this vulnerability, malicious actors can execute arbitrary SQL queries, gaining the ability to:

  • Steal sensitive data: Retrieve confidential information such as user credentials, financial details, or proprietary data.
  • Modify website content: Deface web pages, redirect visitors to malicious sites, or inject harmful code.
  • Compromise site functionality: Disrupt website operations, install backdoors, or take complete control of the site.

The vulnerability was discovered and reported by security researcher Mayank Deshmukh.

The vulnerability affects all versions of the HTML5 Video Player plugin up to and including 2.5.26. Users are strongly advised to update the plugin to the latest version immediately, which should address the issue. If an update is not feasible, consider temporarily disabling or removing the plugin until a fix is available.