CVE-2024-7721 – This vulnerability in the HTML5 Video Player Wo... (How to Fix)

Q: What is the severity of CVE-2024-7721?

CVE-2024-7721 has a CVSS score of 4.3 (MEDIUM). This vulnerability in the HTML5 Video Player WordPress plugin allows authenticated attackers with Subscriber-level access or higher to modify plugin settings without proper authorization. Attackers can enable user registration even if it was disabled, potentially allowing unauthorized account creation. All WordPress sites using vulnerable plugin versions are affected.

📋 TL;DR

This vulnerability in the HTML5 Video Player WordPress plugin allows authenticated attackers with Subscriber-level access or higher to modify plugin settings without proper authorization. Attackers can enable user registration even if it was disabled, potentially allowing unauthorized account creation. All WordPress sites using vulnerable plugin versions are affected.

💻 Affected Systems

Products:

HTML5 Video Player – mp4 Video Player Plugin and Block for WordPress

Versions: All versions up to and including 2.5.34

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with the vulnerable plugin installed and at least one authenticated user with Subscriber role or higher.

📦 What is this software?

Html5 Video Player by Bplugins

View all CVEs affecting Html5 Video Player →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers enable user registration, create admin accounts, and gain full control of the WordPress site, potentially leading to data theft, defacement, or malware installation.

🟠

Likely Case

Attackers enable user registration to create additional accounts for spam, credential harvesting, or maintaining persistent access to the compromised site.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to unauthorized plugin setting changes that can be detected and reverted.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.5.35

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3148088/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'HTML5 Video Player'. 4. Click 'Update Now' if available, or download version 2.5.35+ from WordPress repository. 5. Activate the updated plugin.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate the HTML5 Video Player plugin until patched

wp plugin deactivate html5-video-player

Restrict user registration

all

Ensure user registration is disabled in WordPress settings

wp option update users_can_register 0

🧯 If You Can't Patch

Remove Subscriber and higher role access from untrusted users
Implement web application firewall rules to block suspicious AJAX requests to the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → HTML5 Video Player version. If version is 2.5.34 or lower, you are vulnerable.

Check Version:

wp plugin get html5-video-player --field=version

Verify Fix Applied:

Verify plugin version is 2.5.35 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual AJAX requests to /wp-admin/admin-ajax.php with action 'save_password'
Sudden increase in user registrations
Changes to plugin settings from non-admin users

Network Indicators:

POST requests to admin-ajax.php with save_password parameter from non-admin IPs

SIEM Query:

source="wordpress.log" AND "admin-ajax.php" AND "save_password" AND NOT user_role="administrator"

📊 Metadata

CVE ID: CVE-2024-7721

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

Published: September 11, 2024

Last Updated: September 18, 2024

🔗 References

https://plugins.trac.wordpress.org/browser/html5-video-player/trunk/inc/Model/Ajax.php#L79 Issue Tracking
https://plugins.trac.wordpress.org/changeset/3148088/ Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/6dc3f308-d1e1-430b-bccd-168c0972fe7c?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7721, you might also want to check these: