Skip to main content

Presto Player

3 CVEs product

Monthly

CVE-2026-9125 MEDIUM This Month

Stored XSS in the Presto Player WordPress plugin (versions ≤ 4.2.0) lets authenticated contributors persist arbitrary JavaScript payloads by supplying a javascript: URI as the link_url parameter of the [presto_player_overlay] shortcode. The getOverlays() function in Shortcodes.php copies the attribute into overlay configuration without scheme validation, causing the URI to survive into the href attribute rendered by the presto-dynamic-overlay-ui Stencil.js web component; any visitor who loads the injected page triggers execution. No public exploit or CISA KEV listing has been identified at time of analysis, but the low attack complexity within the contributor-access constraint makes this a realistic risk on multi-author or membership-based WordPress installations.

WordPress XSS Presto Player
NVD VulDB
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-45442 MEDIUM This Month

Broken access control in Brainstorm Force's Presto Player WordPress plugin (through version 4.1.3) allows authenticated low-privilege users to bypass authorization checks and read restricted data. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms this is network-exploitable by any authenticated WordPress user with no interaction required, though impact is limited to low confidentiality exposure with no integrity or availability consequences. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Authentication Bypass Presto Player
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2024-2428 MEDIUM POC This Month

The Ultimate Video Player For WordPress WordPress plugin before 2.2.3 does not have proper capability check when updating its settings via a REST route, allowing Contributor and above users to update. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Presto Player
NVD WPScan
CVSS 3.1
4.7
EPSS
0.5%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the Presto Player WordPress plugin (versions ≤ 4.2.0) lets authenticated contributors persist arbitrary JavaScript payloads by supplying a javascript: URI as the link_url parameter of the [presto_player_overlay] shortcode. The getOverlays() function in Shortcodes.php copies the attribute into overlay configuration without scheme validation, causing the URI to survive into the href attribute rendered by the presto-dynamic-overlay-ui Stencil.js web component; any visitor who loads the injected page triggers execution. No public exploit or CISA KEV listing has been identified at time of analysis, but the low attack complexity within the contributor-access constraint makes this a realistic risk on multi-author or membership-based WordPress installations.

WordPress XSS Presto Player
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Broken access control in Brainstorm Force's Presto Player WordPress plugin (through version 4.1.3) allows authenticated low-privilege users to bypass authorization checks and read restricted data. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms this is network-exploitable by any authenticated WordPress user with no interaction required, though impact is limited to low confidentiality exposure with no integrity or availability consequences. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Authentication Bypass Presto Player
NVD
EPSS 0% CVSS 4.7
MEDIUM POC This Month

The Ultimate Video Player For WordPress WordPress plugin before 2.2.3 does not have proper capability check when updating its settings via a REST route, allowing Contributor and above users to update. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Presto Player
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy