CVE-2025-62142
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nicashmu Post Video Players video-playlist-and-gallery-plugin allows Stored XSS.This issue affects Post Video Players: from n/a through <= 1.163.
Analysis
Stored cross-site scripting (XSS) in nicashmu Post Video Players WordPress plugin through version 1.163 allows authenticated attackers to inject malicious scripts that persist in the database and execute in the browsers of site visitors. The vulnerability exists in the video-playlist-and-gallery-plugin and affects all versions up to and including 1.163; no public exploit code has been identified, but the low EPSS score (0.01%) suggests limited real-world exploitation likelihood despite the vulnerability's persistent nature.
Technical Context
This is a classic stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) in a WordPress plugin. The underlying issue is insufficient input validation and output encoding when processing user-supplied data related to video playlists and galleries. Because the malicious payload is stored in the WordPress database rather than reflected in a URL parameter, it affects all users who view the compromised content, making it more dangerous than reflected XSS. The plugin likely fails to sanitize inputs when creating or editing video playlist elements, allowing attackers to embed JavaScript that executes in admin and visitor contexts.
Affected Products
nicashmu Post Video Players (video-playlist-and-gallery-plugin) versions from an unspecified baseline through and including 1.163. The plugin is distributed via WordPress.org plugin repository. Affected WordPress installations running this plugin at version 1.163 or earlier are vulnerable. Exact version history and the initial vulnerable version are not specified in available data.
Remediation
Update the Post Video Players plugin to a version newer than 1.163; consult the plugin's WordPress.org repository page or vendor advisory at patchstack.com/database for the specific patched version number. WordPress administrators should navigate to Plugins > Installed Plugins, locate Post Video Players, and apply the available update immediately. If an update is not yet available, restrict plugin access to trusted administrators only and audit existing video playlists and gallery content for injected scripts. Site owners should also review WordPress security logs for any evidence of malicious script injection in video metadata or gallery configurations.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today