Video Player <= 1.5.22 – Authenticated (Administrator+) Stored Cross-Site Scripting | CVE 2023-48320 | Plugin Vulnerabilities

Description

The SpiderVPlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/1627ec2a-f91d-4ed7-acb8-a3fb63b45731

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

SeungYongLee

Verified

No

WPVDB ID

81c4c23d-1d05-45cd-a660-3b9c457ea118

Timeline

Publicly Published

2023-11-23 (about 2 years ago)

Added

2023-11-29 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2025-09-27

Title

Popular Posts by Webline <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2026-04-07

Title

PrivateContent Free < 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'align' Shortcode Attribute

Published

2025-01-24

Title

Plethora Plugins Tabs + Accordions < 1.2 - Contributor+ Stored XSS

Published

2023-11-10

Title

Sponsors <= 3.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2021-05-26

Title

Visitors <= 0.3 - Unauthenticated Stored Cross-Site Scripting (XSS)