Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
3 vulnerabilities by hdwplayer
CVE-2020-37218 (GCVE-0-2020-37218)
Vulnerability from cvelistv5 – Published: 2026-05-13 14:22 – Updated: 2026-05-14 18:28
VLAI
Title
Joomla com_hdwplayer 4.2 SQL Injection via search.php
Summary
Joomla com_hdwplayer 4.2 contains an SQL injection vulnerability in the search.php file that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the hdwplayersearch parameter. Attackers can submit POST requests with crafted SQL payloads in the hdwplayersearch parameter to extract sensitive database information from the hdwplayer_videos table.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/48242 | exploit |
| https://www.hdwplayer.com/ | product |
| https://www.hdwplayer.com/download/ | product |
| https://www.vulncheck.com/advisories/joomla-com-h… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Hdwplayer | com_hdwplayer |
Affected:
4.2
|
Date Public
2020-03-23 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-37218",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T18:28:25.645405Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T18:28:34.445Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "com_hdwplayer",
"vendor": "Hdwplayer",
"versions": [
{
"status": "affected",
"version": "4.2"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hdwplayer:hdw_player:4.2:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "qw3rTyTy"
}
],
"datePublic": "2020-03-23T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Joomla com_hdwplayer 4.2 contains an SQL injection vulnerability in the search.php file that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the hdwplayersearch parameter. Attackers can submit POST requests with crafted SQL payloads in the hdwplayersearch parameter to extract sensitive database information from the hdwplayer_videos table."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T14:22:30.803Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-48242",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/48242"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "https://www.hdwplayer.com/"
},
{
"name": "Product Reference",
"tags": [
"product"
],
"url": "https://www.hdwplayer.com/download/"
},
{
"name": "VulnCheck Advisory: Joomla com_hdwplayer 4.2 SQL Injection via search.php",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/joomla-com-hdwplayer-sql-injection-via-search-php"
}
],
"title": "Joomla com_hdwplayer 4.2 SQL Injection via search.php",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2020-37218",
"datePublished": "2026-05-13T14:22:30.803Z",
"dateReserved": "2026-05-13T13:46:40.245Z",
"dateUpdated": "2026-05-14T18:28:34.445Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-49178 (GCVE-0-2023-49178)
Vulnerability from cvelistv5 – Published: 2023-12-15 14:40 – Updated: 2026-04-28 16:08
VLAI
Title
WordPress HDW Player Plugin (Video Player & Video Gallery) Plugin <= 5.0 is vulnerable to Cross Site Scripting (XSS)
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mr. Hdwplayer HDW Player Plugin (Video Player & Video Gallery) allows Reflected XSS.This issue affects HDW Player Plugin (Video Player & Video Gallery): from n/a through 5.0.
Severity
7.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/hdw… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mr. Hdwplayer | HDW Player Plugin (Video Player & Video Gallery) |
Affected:
n/a , ≤ 5.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:53:43.411Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/hdw-player-video-player-video-gallery/wordpress-hdw-player-plugin-video-player-video-gallery-plugin-5-0-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "hdw-player-video-player-video-gallery",
"product": "HDW Player Plugin (Video Player \u0026 Video Gallery)",
"vendor": "Mr. Hdwplayer",
"versions": [
{
"lessThanOrEqual": "5.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "LEE SE HYOUNG (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Mr. Hdwplayer HDW Player Plugin (Video Player \u0026 Video Gallery) allows Reflected XSS.\u003cp\u003eThis issue affects HDW Player Plugin (Video Player \u0026 Video Gallery): from n/a through 5.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Mr. Hdwplayer HDW Player Plugin (Video Player \u0026 Video Gallery) allows Reflected XSS.This issue affects HDW Player Plugin (Video Player \u0026 Video Gallery): from n/a through 5.0."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:56.283Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/hdw-player-video-player-video-gallery/wordpress-hdw-player-plugin-video-player-video-gallery-plugin-5-0-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress HDW Player Plugin (Video Player \u0026 Video Gallery) Plugin \u003c= 5.0 is vulnerable to Cross Site Scripting (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-49178",
"datePublished": "2023-12-15T14:40:46.985Z",
"dateReserved": "2023-11-22T23:36:35.545Z",
"dateUpdated": "2026-04-28T16:08:56.283Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2014-5180 (GCVE-0-2014-5180)
Vulnerability from cvelistv5 – Published: 2014-08-06 19:00 – Updated: 2024-09-17 03:28
VLAI
Summary
SQL injection vulnerability in the videos page in the HDW Player Plugin (hdw-player-video-player-video-gallery) 2.4.2 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the id parameter in the edit action to wp-admin/admin.php.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| http://codevigilant.com/disclosure/wp-plugin-hdw-… | x_refsource_MISC |
| https://plugins.trac.wordpress.org/changeset?sfp_… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T11:34:37.534Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://codevigilant.com/disclosure/wp-plugin-hdw-player-video-player-video-gallery-a1-injection"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=900030%40hdw-player-video-player-video-gallery\u0026old=798976%40hdw-player-video-player-video-gallery\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the videos page in the HDW Player Plugin (hdw-player-video-player-video-gallery) 2.4.2 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the id parameter in the edit action to wp-admin/admin.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-08-06T19:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://codevigilant.com/disclosure/wp-plugin-hdw-player-video-player-video-gallery-a1-injection"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=900030%40hdw-player-video-player-video-gallery\u0026old=798976%40hdw-player-video-player-video-gallery\u0026sfp_email=\u0026sfph_mail="
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-5180",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in the videos page in the HDW Player Plugin (hdw-player-video-player-video-gallery) 2.4.2 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the id parameter in the edit action to wp-admin/admin.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://codevigilant.com/disclosure/wp-plugin-hdw-player-video-player-video-gallery-a1-injection",
"refsource": "MISC",
"url": "http://codevigilant.com/disclosure/wp-plugin-hdw-player-video-player-video-gallery-a1-injection"
},
{
"name": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=900030%40hdw-player-video-player-video-gallery\u0026old=798976%40hdw-player-video-player-video-gallery\u0026sfp_email=\u0026sfph_mail=",
"refsource": "MISC",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=900030%40hdw-player-video-player-video-gallery\u0026old=798976%40hdw-player-video-player-video-gallery\u0026sfp_email=\u0026sfph_mail="
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-5180",
"datePublished": "2014-08-06T19:00:00.000Z",
"dateReserved": "2014-08-06T00:00:00.000Z",
"dateUpdated": "2024-09-17T03:28:00.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}