WordPress Plugin Vulnerabilities

Easy Video Player < 1.2.2.11 - Contributor+ Stored XSS

Description

The plugin does not validate and escape the ratio_code attribute of its evp_embed_video shortcode before outputting it back in a page where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
easy-video-player
Fixed in 1.2.2.11

References

CVE
CVE-2023-51689
URL
https://patchstack.com/database/vulnerability/easy-video-player/wordpress-easy-video-player-plugin-1-2-2-10-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Ngô Thiên An (ancorn_)
Verified
Yes
WPVDB ID
a38d3039-bace-47bd-b40b-f57635bc920d

Timeline

Publicly Published
2023-12-27 (about 2 years ago)
Added
2024-01-05 (about 2 years ago)
Last Updated
2024-01-05 (about 2 years ago)

Other

Published
Title
Published
2024-06-10
Title
Custom Field Template < 2.6.2 - Authenticated (Admin+) Stored Cross-Site Scritping
Published
2023-09-05
Title
Raise Mag <= 1.0.7 and Wishful Blog <= 2.0.1 - Reflected XSS
Published
2025-09-18
Title
JetEngine < 3.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2021-02-01
Title
Ivory Search < 4.5.11 - Authenticated Reflected Cross-Site Scripting (XSS)
Published
2024-03-28
Title
Otter Blocks < 2.6.6 - Contributor+ Stored XSS