The HD FLV Player plugin for Joomla, WordPress and custom websites are at risk of being used to send spam emails. The issue is found in the following files: download.php and email.php. There are no security checks being applied before accessing this file, making it accessible, and exploitable, to anyone that knows the URL structure to the file. The custom version of this plugin is still at risk, leaving the custom website version vulnerable to the issue. Any site behind our Website Firewall (CloudProxy) are automatically protected against this vulnerability.”]
Source: https://blog.sucuri.net/2014/12/critical-vulnerability-in-joomla-hd-flv-player-plugin.html

