CVE-2024-5522: 
WordPress vulnerability analysis and mitigation

The HTML5 Video Player WordPress plugin before version 2.5.27 contains a critical SQL injection vulnerability (CVE-2024-5522) that affects over 30,000 active installations. The vulnerability allows unauthenticated users to perform SQL injection attacks due to improper parameter sanitization in a REST route (WPScan, Security Online).

The vulnerability stems from insufficient input validation and improper handling of SQL queries in the REST route parameter. The flaw has received a CVSS score of 8.6 (high), indicating its severe nature. The vulnerability specifically affects the plugin's REST API endpoint '/h5vp/v1/video/1', where the 'id' parameter is not properly sanitized before being used in SQL statements (WPScan).

Successful exploitation of this vulnerability could allow attackers to steal sensitive data including user credentials and financial details, modify website content, deface web pages, redirect visitors to malicious sites, inject harmful code, disrupt website operations, install backdoors, or potentially gain complete control of the affected site (Security Online).

Users are strongly advised to update the HTML5 Video Player plugin to version 2.5.27 or later, which contains the fix for this vulnerability. If immediate updating is not possible, it is recommended to temporarily disable or remove the plugin until the update can be applied (Security Online).