CVE-2024-7727
MEDIUMHTML5 Video Player < 2.5.33 - Unauthenticated Unauthorized Data Access via h5vp_ajax_handler
Title source: llmDescription
The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions called via the 'h5vp_ajax_handler' ajax action in all versions up to, and including, 2.5.32. This makes it possible for unauthenticated attackers to call these functions to manipulate data.
References (4)
Core 4
Core References
Issue Tracking
https://plugins.trac.wordpress.org/browser/html5-video-player/trunk/inc/Model/Ajax.php#L5
Scores
CVSS v3
5.3
EPSS
0.0039
EPSS Percentile
31.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (2)
bplugins/HTML5 Video Player – Embed and Play Videos in Custom Player
< 2.5.32
bplugins/html5_video_player
< 2.5.33
Published
Sep 11, 2024
Tracked Since
Feb 18, 2026