wp-plugin : simple-flash-video

Plugin Details
Plugin Name: wp-plugin : simple-flash-video
Effected Version : 1.7 (and most probably lower version's if any)
Vulnerability : Components with Known Vulnerabilities
Identified by : prajalkulkarni
WPScan Reference URL

Technical Details
Minimum Level of Access Required : Unauthenticated
PoC - (Proof of Concept) :

http://127.0.0.1/wordpress/wp-content/plugins/simple-flash-video/mediaplayer.swf?file=http://nmap.org/images/sitelogo.png


Disclosure Timeline
Vendor Contacted : 2013-12-13
Plugin Status : Updated on 2014-01-11
Public Disclosure : May 25, 2014
CVE Number :
Plugin Description :
[ The Simple Flash Video Plugin builds on the plugins that all ready allow easy posting of .flv or .mp4 files on the popular WordPress platform. Simple Flash Video allows for all of the JW FLV options to be utilized via its config.xml file and post level overrides. With this plugin you can easily post .flv or .mp4 videos to your blog and have your viewers instantly watch the video without having to fully download the video before watching. It also combines the popular Shadowbox utility to allow for the videos to float over the website content for a clean look. Additionally it now includes Simple Stats which allow for highly detailed information on the viewing of your videos that are hosted played on your site. SFV can also utilizes Longtail Video advertisement system which allows you to make money with your videos if you buy a licence for the player at [Longtail Video Site](http://www.longtailvideo.com/referral.aspx?page=pubreferral&ref=chckorwtpopjizb "Longtail Video") This plugin was built from the ground up to take full advantage of the JW FLV Player and Shadowbox. Code has been used from the Flash Video Player by Joshua Eldridge as per the licence agreemnet. When you put the [video...] code in your plugin it will be replaced by a Link to the video that will open in a Shadowbox window. If a .jpg file is in the same directory with the same name as the flv it will also use that photo in the link. If no image is found it will simply place a Text link in your post. If you wish you can also disable the Shadowbox feature in the post command. ]