The vulnerability arises from improper sanitization of user‑supplied input during the generation of web pages, enabling attackers to inject malicious scripts that are reflected in the browser’s rendering. This flaw is classified under CWE‑79 and allows an attacker to execute arbitrary code in the context of the victim’s browser, potentially stealing session cookies, defacing content, and facilitating further phishing attempts. The impact is across confidentiality, integrity, and availability of the user data presented by the plugin, but it does not grant direct server‑side control.

LambertGroup’s HTML5 Video Player plugin for WordPress, all releases from the earliest available version up to and including 5.3.5, is affected. Users running any of these versions on WordPress sites are vulnerable if the plugin is active and accessible.

The CVSS score of 7.1 indicates a high severity level, yet the EPSS score of less than 1% suggests exploitation attempts are currently rare. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the reflected XSS by crafting a URL that includes malicious payloads or by manipulating plugin parameters that are not properly sanitized. The attack is web‑based and requires user interaction to visit the exploited page, but does not need privileged access or direct exploitation of the underlying server.