WP Beacon

FV Flowplayer Video Player

fv-wordpress-flowplayer · by foliovision · wordpress.org ↗ · SVN ↗
Active installs
20k+
Current version
7.5.50.7212
Added
2009-09-27
Last updated
2026-05-04 (18d ago)
First seen by beacon
1mo ago
Total downloads
2,382,960

Alerts (0)

No open alerts.

Show 3 resolved alerts
Critical code_scan_match Resolved · dead_endpoint_or_gated 2026-05-05 12:33:06 (17d ago)
Slugfv-wordpress-flowplayer
Finding count1
Findings
PatternKindFileLineSnippetConfidence
unserialize_after_remote_callbuiltinincludes/fp-api-private.php381L371: $raw_response = wp_remote_post( $this->strPrivateAPI, $request ); → L381: $response = @unserialize( preg_replace( '~^/\*[\s\S]*?\*/\s+~', '', $raw_responshigh
Resolved sha28641141fc4be13117ae150b04ac279035fccf01
View raw JSON
{
    "slug": "fv-wordpress-flowplayer",
    "finding_count": 1,
    "findings": [
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/fp-api-private.php",
            "line": 381,
            "snippet": "L371: $raw_response = wp_remote_post( $this->strPrivateAPI, $request );  \u2192  L381: $response = @unserialize( preg_replace( '~^/\\*[\\s\\S]*?\\*/\\s+~', '', $raw_respons",
            "confidence": "high"
        }
    ],
    "resolved_sha": "28641141fc4be13117ae150b04ac279035fccf01"
}
Critical code_pattern Resolved · benign_architectural_concern 2026-04-30 15:25:28 (22d ago)
Slugfv-wordpress-flowplayer
Patternunserialize_after_remote_call
Kindbuiltin
Version7.5.49.7212
Hit count1
First hit
File
includes/fp-api-private.php
Line
397
Snippet
L387: $raw_response = wp_remote_post( $this->strPrivateAPI, $request ); → L397: $response = @unserialize( preg_replace( '~^/\*[\s\S]*?\*/\s+~', '', $raw_respons
Explanationa remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.
View raw JSON
{
    "slug": "fv-wordpress-flowplayer",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "7.5.49.7212",
    "hit_count": 1,
    "first_hit": {
        "file": "includes/fp-api-private.php",
        "line": 397,
        "snippet": "L387: $raw_response = wp_remote_post( $this->strPrivateAPI, $request );  \u2192  L397: $response = @unserialize( preg_replace( '~^/\\*[\\s\\S]*?\\*/\\s+~', '', $raw_respons"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}
Critical code_scan_delta Resolved · false_positive_cdn_known_good 2026-04-30 08:11:04 (22d ago)
Slugfv-wordpress-flowplayer
Previous version7.5.49.7212
Current version7.5.49.7212
New findings
PatternKindFileLineSnippetConfidence
unserialize_after_remote_callbuiltinincludes/fp-api-private.php397L387: $raw_response = wp_remote_post( $this->strPrivateAPI, $request ); → L397: $response = @unserialize( preg_replace( '~^/\*[\s\S]*?\*/\s+~', '', $raw_responshigh
New finding count1
View raw JSON
{
    "slug": "fv-wordpress-flowplayer",
    "previous_version": "7.5.49.7212",
    "current_version": "7.5.49.7212",
    "new_findings": [
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/fp-api-private.php",
            "line": 397,
            "snippet": "L387: $raw_response = wp_remote_post( $this->strPrivateAPI, $request );  \u2192  L397: $response = @unserialize( preg_replace( '~^/\\*[\\s\\S]*?\\*/\\s+~', '', $raw_respons",
            "confidence": "high"
        }
    ],
    "new_finding_count": 1
}

SVN committers (1)

Accounts with actual commit access to fv-wordpress-flowplayer on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
FolioVision 2007-04-18 500 2016-02-06 · r1344432 2026-05-04 · r3522496

Readme contributors (1)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
FolioVision 2007-04-18 500 commits Active

Versions (10 most recent)

Version Released Download
7.5.7.727 2021-10-06 · 4y ago zip
6.6.6 2021-09-13 · 4y ago zip
7.2.8.727 2021-09-13 · 4y ago zip
7.1.15.727 2021-09-13 · 4y ago zip
7.3.19.727 2021-09-13 · 4y ago zip
7.4.47.727 2021-09-13 · 4y ago zip
2.4.2 2018-06-27 · 7y ago zip
0.9.17 2018-06-27 · 7y ago zip
1.2.17 2018-06-27 · 7y ago zip
6.0.5.24 2018-06-27 · 7y ago zip