The WP Video Posts plugin contains an Improper Neutralization of Input flaw that allows an attacker to inject malicious script payloads into a web page when a victim requests a URL containing the payload. This is a Reflected Cross‑Site Scripting (XSS) vulnerability, identified as CWE‑79. The description does not specify particular downstream effects, but XSS permits arbitrary client‑side code execution which may expose or alter data visible to the victim’s browser. Based on typical XSS consequences, it is inferred that an attacker could potentially steal session cookies, capture credentials, or modify page content, although these outcomes are not explicitly stated in the CVE data.

WordPress sites that use the cmstactics WP Video Posts plugin version 3.5.1 or earlier are affected. No other WordPress plugins or core versions are labeled as impacted by this vulnerability.

The CVSS score of 7.1 indicates a medium to high severity for this client‑side flaw. The EPSS score of less than 1% suggests a low current threat level, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw is reflected, an attacker generally needs to craft a URL or input containing malicious payloads that the victim then visits or submits. No special privileges are required, and the attack can be executed from an exposed web interface. The principal risk to an organization is the exposure of site visitors to client‑side compromise rather than direct server compromise.