CVE-2024-5522 PoC — HTML5 Video Player < 2.5.27 - Unauthenticated SQLi

Source

https://github.com/kryptonproject/CVE-2024-5522-PoC

Associated Vulnerability

Title:HTML5 Video Player < 2.5.27 - Unauthenticated SQLi (CVE-2024-5522)
Description:The HTML5 Video Player WordPress plugin before 2.5.27 does not sanitize and escape a parameter from a REST route before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks

Readme

# CVE-2024-5522-PoC : HTML5 Video Player < 2.5.27 - Unauthenticated SQLi
The plugin does not sanitize and escape a parameter from a REST route before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks

setup script:
1. git clone https://github.com/kryptonproject/CVE-2024-5522-PoC
2. cd CVE-2024-5522-PoC
3. pip3 install r requirements.txt
4. python3 exploit.py

to find a target:
1. use this dork: "/wp-content/plugins/html5-video-player"
2. paste it on https://publicwww.com (or any search engine if you want, nobody gunno stop you)
3. copy all the target (example: https://www.target.com) and put it on txt file
4. run the script and put the target list path (for example: /home/user/target/target_list.txt) into the Poc script
5. and boom, hacked :)

File Snapshot


 [4.0K]  /data/pocs/0000fab4755e2e912d8539b1485d84d2ae5f8e98
├── [4.0K]  exploit.py
├── [1.0K]  LICENSE
├── [ 475]  payload.txt
├── [ 796]  README.md
└── [  35]  requirements.txt

0 directories, 5 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!