Description
WordPress Plugin Videos sync PDF 1.7.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting unsanitized mov, pdf, mp4, webm, and ogg parameters. Attackers can inject payloads like autofocus onfocus event handlers through the plugin options panel to execute arbitrary JavaScript when administrators view or edit video settings.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Videos sync PDF plugin for WordPress, version 1.7.4, accepts user‑controlled data in its media parameters (mov, pdf, mp4, webm, ogg) without proper sanitization. An authenticated user who can access the plugin options panel can inject JavaScript payloads—such as autofocus or onfocus event handlers—that execute in the browser context of any administrator who views or edits the video settings. The resulting arbitrary script execution allows compromise of administrative accounts through phishing or credential theft, impacting confidentiality, integrity, and availability at the administrative level.

Affected Systems

WordPress sites using the A‑J‑Evolution Videos sync PDF plugin version 1.7.4 are affected. No other vendors or product versions are listed.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate‑severity vulnerability. The EPSS score of 0.00029 (less than 0.03%) shows that while exploitation likelihood is very low, it is non‑zero, meaning the flaw could attract data‑browsing or privilege‑focused attackers. The issue is not listed in the CISA KEV catalog, so no public exploit has been confirmed yet. Nonetheless, authenticated attackers can leverage the flaw to execute arbitrary scripts when administrators view or edit the plugin settings.

Generated by OpenCVE AI on May 12, 2026 at 02:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Videos sync PDF plugin to the latest available version or remove it entirely if not required
  • Verify that only trusted, high‑privilege administrators have access to the plugin’s options panel and restrict other accounts through role management
  • If upgrading or removal is not immediately possible, modify the plugin’s source to sanitize all mov, pdf, mp4, webm, and ogg parameters or replace them with trusted input validation routines

Generated by OpenCVE AI on May 12, 2026 at 02:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 01:15:00 +0000

Type Values Removed Values Added
Description WordPress Plugin Videos sync PDF 1.7.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting unsanitized nom, pdf, mp4, webm, and ogg parameters. Attackers can inject payloads like autofocus onfocus event handlers through the plugin options panel to execute arbitrary JavaScript when administrators view or edit video settings. WordPress Plugin Videos sync PDF 1.7.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting unsanitized mov, pdf, mp4, webm, and ogg parameters. Attackers can inject payloads like autofocus onfocus event handlers through the plugin options panel to execute arbitrary JavaScript when administrators view or edit video settings.

Mon, 11 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared A-j-evolution
A-j-evolution videos Sync Pdf
Wordpress
Wordpress wordpress
Vendors & Products A-j-evolution
A-j-evolution videos Sync Pdf
Wordpress
Wordpress wordpress

Sun, 10 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description WordPress Plugin Videos sync PDF 1.7.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting unsanitized nom, pdf, mp4, webm, and ogg parameters. Attackers can inject payloads like autofocus onfocus event handlers through the plugin options panel to execute arbitrary JavaScript when administrators view or edit video settings.
Title WordPress Plugin Videos sync PDF 1.7.4 Stored XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

A-j-evolution Videos Sync Pdf
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-24T01:37:26.032Z

Reserved: 2026-01-11T13:34:26.331Z

Link: CVE-2022-50949

cve-icon Vulnrichment

Updated: 2026-05-11T16:28:24.870Z

cve-icon NVD

Status : Deferred

Published: 2026-05-10T13:16:32.790

Modified: 2026-05-12T14:24:15.210

Link: CVE-2022-50949

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T03:00:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')