Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 8 known issues Latest disclosed Jan 13, 2025

HTML5 Video Player – Embed and Play Videos in Custom Player Vulnerabilities

Q: How many HTML5 Video Player – Embed and Play Videos in Custom Player vulnerabilities have patch guidance?

8 of 8 tracked HTML5 Video Player – Embed and Play Videos in Custom Player records include a published patch path.

Review known vulnerability records for the WordPress plugin HTML5 Video Player – Embed and Play Videos in Custom Player (`html5-video-player`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2024-13156, CVE-2024-7721 and CVE-2024-7727, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Jan 14, 2025

Priority CVE Quick Links

Fast paths into HTML5 Video Player – Embed and Play Videos in Custom Player CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

CVE-2024-5522 Critical 2.5.27

CVE-2024-5522 HTML5 Video Player – Embed and Play Videos in Custom Player SQL Injection

HTML5 Video Player <= 2.5.26 - Unauthenticated SQL Injection

CVE-2024-1061 Medium 2.5.25

CVE-2024-1061 HTML5 Video Player – Embed and Play Videos in Custom Player SQL Injection

HTML5 Video Player <= 2.5.24 - Unauthenticated SQL Injection via id

CVE-2024-13156 Medium 2.5.36

CVE-2024-13156 HTML5 Video Player – Embed and Play Videos in Custom Player Stored Cross-Site Scripting

HTML5 Video Player – mp4 Video Player Plugin and Block <= 2.5.35 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via heading Parameter

CVE-2024-43296 Medium 2.5.31

CVE-2024-43296 HTML5 Video Player – Embed and Play Videos in Custom Player Vulnerability

Flash & HTML5 Video <= 2.5.30 - Missing Authorization

CVE-2023-6485 Medium 2.5.19

CVE-2023-6485 HTML5 Video Player – Embed and Play Videos in Custom Player Stored Cross-Site Scripting

Html5 Video Player <= 2.5.18 - Authenticated (Subscriber+) Stored Cross-Site Scripting

CVE-2024-7727 Medium 2.5.33

CVE-2024-7727 HTML5 Video Player – Embed and Play Videos in Custom Player Vulnerability

HTML5 Video Player – mp4 Video Player Plugin and Block <= 2.5.32 - Missing Authorization in multiple functions via h5vp_ajax_handler

CVE-2024-7721 Medium 2.5.35

CVE-2024-7721 HTML5 Video Player – Embed and Play Videos in Custom Player Vulnerability

HTML5 Video Player – mp4 Video Player Plugin and Block <= 2.5.34 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update

CVE-2024-43319 Medium 2.5.32

CVE-2024-43319 HTML5 Video Player – Embed and Play Videos in Custom Player Sensitive Information Exposure

Flash & HTML5 Video <= 2.5.31 - Authenticated (Subscriber+) Information Exposure

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for HTML5 Video Player – Embed and Play Videos in Custom Player so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

8 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

1 critical and 0 high severity findings.

Recent CVEs

CVE-2024-13156, CVE-2024-7721 and CVE-2024-7727

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2024-13156 Medium Patch path listed

CVE-2024-13156: HTML5 Video Player – mp4 Video Player Plugin and Block <= 2.5.35 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via heading Parameter

The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘heading’ parameter in all versions up to, and...

Published

Jan 13, 2025

Patch Status

2.5.36

Open CVE-2024-13156 Report

CVE-2024-7721 Medium Patch path listed

CVE-2024-7721: HTML5 Video Player – mp4 Video Player Plugin and Block <= 2.5.34 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update

The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_password' fu...

Published

Sep 10, 2024

Patch Status

2.5.35

Open CVE-2024-7721 Report

CVE-2024-7727 Medium Patch path listed

CVE-2024-7727: HTML5 Video Player – mp4 Video Player Plugin and Block <= 2.5.32 - Missing Authorization in multiple functions via h5vp_ajax_handler

The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions called vi...

Published

Sep 10, 2024

Patch Status

2.5.33

Open CVE-2024-7727 Report

Known Vulnerabilities

Reports for HTML5 Video Player – Embed and Play Videos in Custom Player

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2024-13156

CVE-2024-13156: HTML5 Video Player – mp4 Video Player Plugin and Block <= 2.5.35 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via heading Parameter

The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘heading’ parameter in all versions up to, and including, 2.5.35 due to insufficient input sanitization and output escaping. This makes i...

Published

Jan 13, 2025

Patched Release

2.5.36

Affected Versions

Versions up to 2.5.35

Next Step

Update to 2.5.36 or newer if supported.

Open CVE-2024-13156 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-7721

CVE-2024-7721: HTML5 Video Player – mp4 Video Player Plugin and Block <= 2.5.34 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update

The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_password' function in all versions up to, and including, 2.5.34. This makes it possible for authentica...

Published

Sep 10, 2024

Patched Release

2.5.35

Affected Versions

Versions up to 2.5.34

Next Step

Update to 2.5.35 or newer if supported.

Open CVE-2024-7721 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-7727

CVE-2024-7727: HTML5 Video Player – mp4 Video Player Plugin and Block <= 2.5.32 - Missing Authorization in multiple functions via h5vp_ajax_handler

The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions called via the 'h5vp_ajax_handler' ajax action in all versions up to, and including, 2.5.32. This m...

Published

Sep 10, 2024

Patched Release

2.5.33

Affected Versions

Versions up to 2.5.32

Next Step

Update to 2.5.33 or newer if supported.

Open CVE-2024-7727 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-43296

CVE-2024-43296: Flash & HTML5 Video <= 2.5.30 - Missing Authorization

The Flash & HTML5 Video plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX actions in versions up to, and including, 2.5.30. This makes it possible for authenticated attackers, with subscriber-level access and above, to upd...

Published

Aug 16, 2024

Patched Release

2.5.31

Affected Versions

Versions up to 2.5.30

Next Step

Update to 2.5.31 or newer if supported.

Open CVE-2024-43296 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-43319

CVE-2024-43319: Flash & HTML5 Video <= 2.5.31 - Authenticated (Subscriber+) Information Exposure

The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.31 via the h5vp_export_data() function. This makes it possible for authenticated attackers, with Subscriber-le...

Published

Aug 16, 2024

Patched Release

2.5.32

Affected Versions

Versions up to 2.5.31

Next Step

Update to 2.5.32 or newer if supported.

Open CVE-2024-43319 Report Open CVE Reference

Plugin Critical Patched: Yes CVE-2024-5522

CVE-2024-5522: HTML5 Video Player <= 2.5.26 - Unauthenticated SQL Injection

The HTML5 Video Player – Best WordPress Video Player Plugin and Block plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.5.26 due to insufficient escaping on a user supplied parameter and lack of sufficient preparation on the existing SQL...

Published

May 30, 2024

Patched Release

2.5.27

Affected Versions

Versions up to 2.5.26

Next Step

Update to 2.5.27 or newer if supported.

Open CVE-2024-5522 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-1061

CVE-2024-1061: HTML5 Video Player <= 2.5.24 - Unauthenticated SQL Injection via id

The Html5 Video Player plugin for WordPress is vulnerable to SQL Injection via the 'id’ parameter in all versions up to, and including, 2.5.24 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it p...

Published

Jan 31, 2024

Patched Release

2.5.25

Affected Versions

Versions up to 2.5.24

Next Step

Update to 2.5.25 or newer if supported.

Open CVE-2024-1061 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-6485

CVE-2023-6485: Html5 Video Player <= 2.5.18 - Authenticated (Subscriber+) Stored Cross-Site Scripting

The Html5 Video Player – mp4 player, Video Player for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.5.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated atta...

Published

Dec 08, 2023

Patched Release

2.5.19

Affected Versions

Versions up to 2.5.18

Next Step

Update to 2.5.19 or newer if supported.

Open CVE-2023-6485 Report Open CVE Reference