bplugins CVE Vulnerabilities & Metrics

Focus on bplugins vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About bplugins Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with bplugins. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total bplugins CVEs: 18
Earliest CVE date: 18 Oct 2021, 14:15 UTC
Latest CVE date: 15 Jan 2025, 16:15 UTC

Latest CVE reference: CVE-2025-22787

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 6

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): -100.0%
Year Variation (Calendar): 20.0%

Month Growth Rate (30-day Rolling): -100.0%
Year Growth Rate (365-day Rolling): 20.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical bplugins CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 1.28

Max CVSS: 5.0

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	16
4.0-6.9	2
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS bplugins CVEs

These are the five CVEs with the highest CVSS scores for bplugins, sorted by severity first and recency.

CVE-2021-24775 bplugins Published on 01 Feb 2022, 13:15 UTC (CVSS: 5.0)
The Document Embedder WordPress plugin before 1.7.5 contains a REST endpoint, which could allow unauthenticated users to enumerate the title of arbitrary private and draft posts.
CVE-2021-24868 bplugins Published on 01 Feb 2022, 13:15 UTC (CVSS: 4.0)
The Document Embedder WordPress plugin before 1.7.9 contains a AJAX action endpoint, which could allow any authenticated user, such as subscriber to enumerate the title of arbitrary private and draft posts.
CVE-2021-24416 bplugins Published on 18 Oct 2021, 14:15 UTC (CVSS: 3.5)
The StreamCast – Radio Player for WordPress plugin before 2.1.1 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode
CVE-2021-24415 bplugins Published on 18 Oct 2021, 14:15 UTC (CVSS: 3.5)
The Polo Video Gallery – Best wordpress video gallery plugin WordPress plugin through 1.2 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode
CVE-2021-24413 bplugins Published on 18 Oct 2021, 14:15 UTC (CVSS: 3.5)
The Easy Twitter Feed WordPress plugin before 1.2 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode

All CVEs for bplugins

CVE-2025-22787 bplugins vulnerability CVSS: 0 15 Jan 2025, 16:15 UTC

Missing Authorization vulnerability in bPlugins LLC Button Block allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Button Block: from n/a through 1.1.5.

CVE-2025-22815 bplugins vulnerability CVSS: 0 09 Jan 2025, 16:16 UTC

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins LLC Button Block allows Stored XSS.This issue affects Button Block: from n/a through 1.1.6.

CVE-2024-43296 bplugins vulnerability CVSS: 0 01 Nov 2024, 15:15 UTC

Missing Authorization vulnerability in bPlugins LLC Flash & HTML5 Video allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flash & HTML5 Video: from n/a through 2.5.30.

CVE-2024-7727 bplugins vulnerability CVSS: 0 11 Sep 2024, 05:15 UTC

The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions called via the 'h5vp_ajax_handler' ajax action in all versions up to, and including, 2.5.32. This makes it possible for unauthenticated attackers to call these functions to manipulate data.

CVE-2024-7721 bplugins vulnerability CVSS: 0 11 Sep 2024, 05:15 UTC

The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_password' function in all versions up to, and including, 2.5.34. This makes it possible for authenticated attackers, with Subscriber-level access and above, to set any options that are not explicitly checked as false to an array, including enabling user registration if it has been disabled.

CVE-2024-37445 bplugins vulnerability CVSS: 0 22 Jul 2024, 09:15 UTC

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in bPlugins Html5 Audio Player allows Stored XSS.This issue affects Html5 Audio Player: from n/a through 2.2.23.

CVE-2024-23508 bplugins vulnerability CVSS: 0 31 Jan 2024, 16:15 UTC

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins PDF Poster – PDF Embedder Plugin for WordPress allows Reflected XSS.This issue affects PDF Poster – PDF Embedder Plugin for WordPress: from n/a through 2.1.17.

CVE-2024-1061 bplugins vulnerability CVSS: 0 30 Jan 2024, 09:15 UTC

The 'HTML5 Video Player' WordPress Plugin, version < 2.5.25 is affected by an unauthenticated SQL injection vulnerability in the 'id' parameter in the 'get_view' function.

CVE-2023-6485 bplugins vulnerability CVSS: 0 01 Jan 2024, 15:15 UTC

The Html5 Video Player WordPress plugin before 2.5.19 does not sanitise and escape some of its player settings, which combined with missing capability checks around the plugin could allow any authenticated users, such as low as subscribers to perform Stored Cross-Site Scripting attacks against high privilege users like admins

CVE-2023-46084 bplugins vulnerability CVSS: 0 06 Nov 2023, 10:15 UTC

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bPlugins LLC Icons Font Loader allows SQL Injection.This issue affects Icons Font Loader: from n/a through 1.1.2.

CVE-2023-5860 bplugins vulnerability CVSS: 0 02 Nov 2023, 12:15 UTC

The Icons Font Loader plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload function in all versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, with administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVE-2023-0170 bplugins vulnerability CVSS: 0 06 Feb 2023, 20:15 UTC

The Html5 Audio Player WordPress plugin before 2.1.12 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

CVE-2021-24868 bplugins vulnerability CVSS: 4.0 01 Feb 2022, 13:15 UTC

The Document Embedder WordPress plugin before 1.7.9 contains a AJAX action endpoint, which could allow any authenticated user, such as subscriber to enumerate the title of arbitrary private and draft posts.

CVE-2021-24775 bplugins vulnerability CVSS: 5.0 01 Feb 2022, 13:15 UTC

The Document Embedder WordPress plugin before 1.7.5 contains a REST endpoint, which could allow unauthenticated users to enumerate the title of arbitrary private and draft posts.

CVE-2021-24416 bplugins vulnerability CVSS: 3.5 18 Oct 2021, 14:15 UTC

The StreamCast – Radio Player for WordPress plugin before 2.1.1 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode

CVE-2021-24415 bplugins vulnerability CVSS: 3.5 18 Oct 2021, 14:15 UTC

The Polo Video Gallery – Best wordpress video gallery plugin WordPress plugin through 1.2 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode

CVE-2021-24413 bplugins vulnerability CVSS: 3.5 18 Oct 2021, 14:15 UTC

The Easy Twitter Feed WordPress plugin before 1.2 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode

CVE-2021-24412 bplugins vulnerability CVSS: 3.5 18 Oct 2021, 14:15 UTC

The Html5 Audio Player – Audio Player for WordPress plugin before 2.1.3 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode