Login Sign Up

CVE-2024-5522

6.5 MEDIUM
SQL Injection

📋 TL;DR

This SQL injection vulnerability in the HTML5 Video Player WordPress plugin allows unauthenticated attackers to execute arbitrary SQL commands on affected WordPress sites. All WordPress installations using vulnerable versions of this plugin are affected, potentially exposing database contents.

💻 Affected Systems

Products:
  • HTML5 Video Player WordPress plugin
Versions: All versions before 2.5.27
Operating Systems: All platforms running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress REST API to be enabled (default).

📦 What is this software?

Html5 Video Player by Bplugins

View all CVEs affecting Html5 Video Player →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including sensitive data theft, privilege escalation, and potential remote code execution through database functions.

🟠

Likely Case

Data exfiltration from WordPress database including user credentials, private content, and configuration data.

🟢

If Mitigated

Limited impact with proper database permissions and network segmentation, though data exposure still possible.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires no authentication and uses standard SQL injection techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.5.27

Vendor Advisory: https://wpscan.com/vulnerability/bc76ef95-a2a9-4185-8ed9-1059097a506a/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find HTML5 Video Player plugin. 4. Click Update Now to version 2.5.27 or later.

🔧 Temporary Workarounds

Disable vulnerable REST endpoint

all

Remove or restrict access to the vulnerable REST API endpoint

Add to theme functions.php: remove_action('rest_api_init', 'html5_video_player_register_rest_route');

Web Application Firewall rule

all

Block SQL injection patterns targeting the vulnerable endpoint

WAF specific - create rule to block requests containing SQL injection patterns to /wp-json/html5-video-player/* endpoints

🧯 If You Can't Patch

  • Disable the HTML5 Video Player plugin immediately
  • Implement network-level restrictions to block external access to WordPress REST API

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > HTML5 Video Player version. If version is below 2.5.27, you are vulnerable.

Check Version:

wp plugin list --name='html5-video-player' --field=version

Verify Fix Applied:

Confirm plugin version is 2.5.27 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed REST API requests to /wp-json/html5-video-player/*
  • Database error messages containing SQL syntax

Network Indicators:

  • HTTP POST requests to /wp-json/html5-video-player/* with SQL injection patterns
  • Unusual outbound database connections from web server

SIEM Query:

source="web_server" AND (uri_path="/wp-json/html5-video-player/*" AND (request_body CONTAINS "UNION" OR request_body CONTAINS "SELECT" OR request_body CONTAINS "--"))

📊 Metadata

CVE ID: CVE-2024-5522
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE: CWE-89
Published: June 20, 2024
Last Updated: May 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5522, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)