CVE-2024-1061: 
WordPress vulnerability analysis and mitigation

The HTML5 Video Player WordPress Plugin versions prior to 2.5.25 is affected by an unauthenticated SQL injection vulnerability. The vulnerability exists in the 'id' parameter within the 'get_view' function, which can be accessed without authentication (Tenable Research, NVD).

The SQL injection vulnerability exists due to improper validation of the 'id' parameter used in the 'get_view' function. The vulnerability can be exploited through a GET HTTP request against a WordPress instance using a vulnerable version of the plugin. The severity of this vulnerability is rated as Critical with a CVSS v3.1 base score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) according to NVD, while Tenable assessed it with a score of 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) (NVD, Tenable Research).

This vulnerability allows unauthenticated attackers to perform SQL injection attacks against affected WordPress installations. The critical severity rating indicates that successful exploitation could lead to unauthorized access to sensitive data, potential database manipulation, and possible system compromise (NVD).

Users should upgrade to HTML5 Video Player WordPress Plugin version 2.5.25 or later to address this vulnerability. While the vendor did not explicitly acknowledge the vulnerability, the issue appears to have been fixed in version 2.5.25 (Tenable Research).