Description
WordPress Plugin Videos sync PDF 1.7.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting unsanitized nom, pdf, mp4, webm, and ogg parameters. Attackers can inject payloads like autofocus onfocus event handlers through the plugin options panel to execute arbitrary JavaScript when administrators view or edit video settings.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Videos sync PDF plugin for WordPress, version 1.7.4, accepts user‑controlled data in its media parameters (nom, pdf, mp4, webm, ogg) without proper sanitization. An authenticated user who can reach the plugin options panel can inject JavaScript payloads—such as autofocus or onfocus handlers—that execute in the browser context of any administrator who views or edits the video settings. The resulting arbitrary script execution allows compromise of administrative accounts through phishing or credential theft, impacting confidentiality, integrity, and availability at the administrative level.

Affected Systems

WordPress sites using the A‑J‑Evolution Videos sync PDF plugin version 1.7.4 are affected. No other vendors or product versions are listed.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate‑severity vulnerability. EPSS data is not available, and the issue is not listed in the CISA KEV catalog, so public exploitation has not yet been confirmed, though the input explicitly states that authorized attackers can leverage the flaw. Attackers need authenticated access to the WordPress admin interface but can then trigger arbitrary script execution for any administrator who subsequently accesses the plugin settings. The lack of a publicly disclosed exploit does not mitigate the risk, as the vulnerability can be leveraged by any privileged user with knowledge of the plugin’s functions.

Generated by OpenCVE AI on May 10, 2026 at 13:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Videos sync PDF plugin to the latest available version or remove it entirely if not required
  • Verify that only trusted, high‑privilege administrators have access to the plugin’s options panel and restrict other accounts through role management
  • If upgrading or removal is not immediately possible, modify the plugin’s source to sanitize all nom, pdf, mp4, webm, and ogg parameters or replace them with trusted input validation routines

Generated by OpenCVE AI on May 10, 2026 at 13:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared A-j-evolution
A-j-evolution videos Sync Pdf
Wordpress
Wordpress wordpress
Vendors & Products A-j-evolution
A-j-evolution videos Sync Pdf
Wordpress
Wordpress wordpress

Sun, 10 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description WordPress Plugin Videos sync PDF 1.7.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting unsanitized nom, pdf, mp4, webm, and ogg parameters. Attackers can inject payloads like autofocus onfocus event handlers through the plugin options panel to execute arbitrary JavaScript when administrators view or edit video settings.
Title WordPress Plugin Videos sync PDF 1.7.4 Stored XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

A-j-evolution Videos Sync Pdf
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-10T12:12:49.145Z

Reserved: 2026-01-11T13:34:26.331Z

Link: CVE-2022-50949

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:32.790

Modified: 2026-05-10T13:16:32.790

Link: CVE-2022-50949

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T21:23:57Z

Weaknesses