FV Flowplayer Video Player

fv-wordpress-flowplayer · by foliovision · wordpress.org ↗ · SVN ↗

Active installs: 20k+
Current version: 7.5.49.7212
Added: 2009-09-27
Last updated: 2026-03-10 (1mo ago)
First seen by beacon: 11d ago
Total downloads: 2,376,362

Alerts (0)

No open alerts.

Show 2 resolved alerts

Critical code_pattern Resolved · benign_architectural_concern 2026-04-30 15:25:28 (2d ago)

Slug	fv-wordpress-flowplayer
Pattern	`unserialize_after_remote_call`
Kind	`builtin`
Version	`7.5.49.7212`
Hit count	1
First hit	File `includes/fp-api-private.php` Line 397 Snippet L387: $raw_response = wp_remote_post( $this->strPrivateAPI, $request ); → L397: $response = @unserialize( preg_replace( '~^/\[\s\S]?\*/\s+~', '', $raw_respons
Explanation	a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.

View raw JSON

{
    "slug": "fv-wordpress-flowplayer",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "7.5.49.7212",
    "hit_count": 1,
    "first_hit": {
        "file": "includes/fp-api-private.php",
        "line": 397,
        "snippet": "L387: $raw_response = wp_remote_post( $this->strPrivateAPI, $request );  \u2192  L397: $response = @unserialize( preg_replace( '~^/\\*[\\s\\S]*?\\*/\\s+~', '', $raw_respons"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}

Critical code_scan_delta Resolved · false_positive_cdn_known_good 2026-04-30 08:11:04 (2d ago)

Slug fv-wordpress-flowplayer

Previous version 7.5.49.7212

Current version 7.5.49.7212

New findings

Pattern	Kind	File	Line	Snippet	Confidence
`unserialize_after_remote_call`	`builtin`	`includes/fp-api-private.php`	397	L387: $raw_response = wp_remote_post( $this->strPrivateAPI, $request ); → L397: $response = @unserialize( preg_replace( '~^/\[\s\S]?\*/\s+~', '', $raw_respons	`high`

New finding count 1

View raw JSON

{
    "slug": "fv-wordpress-flowplayer",
    "previous_version": "7.5.49.7212",
    "current_version": "7.5.49.7212",
    "new_findings": [
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/fp-api-private.php",
            "line": 397,
            "snippet": "L387: $raw_response = wp_remote_post( $this->strPrivateAPI, $request );  \u2192  L397: $response = @unserialize( preg_replace( '~^/\\*[\\s\\S]*?\\*/\\s+~', '', $raw_respons",
            "confidence": "high"
        }
    ],
    "new_finding_count": 1
}

SVN committers (1)

Accounts with actual commit access to fv-wordpress-flowplayer on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer	Member since	Commits	First commit	Latest commit
FolioVision	2007-04-18	500	2016-02-05 · r1344252	2026-03-10 · r3478883

Readme contributors (1)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor	Member since	SVN access	Status
FolioVision	2007-04-18	500 commits	Active

Versions (10 most recent)

Version	Released	Download
7.5.7.727	2021-10-06 · 4y ago	zip
6.6.6	2021-09-13 · 4y ago	zip
7.2.8.727	2021-09-13 · 4y ago	zip
7.1.15.727	2021-09-13 · 4y ago	zip
7.3.19.727	2021-09-13 · 4y ago	zip
7.4.47.727	2021-09-13 · 4y ago	zip
2.4.2	2018-06-27 · 7y ago	zip
0.9.17	2018-06-27 · 7y ago	zip
1.2.17	2018-06-27 · 7y ago	zip
6.0.5.24	2018-06-27 · 7y ago	zip