.. / CVE-2024-5522

Exploit for WordPress Plugin HTML5 Video Player < 2.5.27 - Unauthenticated SQL Injection (CVE-2024-5522)

Description:

The HTML5 Video Player WordPress plugin before 2.5.27 does not sanitize and escape a parameter from a REST route before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks.

Affected Products:

Proof of Concept

PoC exploits

Nuclei Template

View the template here CVE-2024-5522.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2024/CVE-2024-5522.yaml
Copy

References:

https://nvd.nist.gov/vuln/detail/CVE-2024-5522
https://wpscan.com/vulnerability/bc76ef95-a2a9-4185-8ed9-1059097a506a