The vulnerability is an improper neutralization of input during web page generation that allows an attacker to embed arbitrary JavaScript in a page that is rendered to users. An attacker can craft a URL containing a malicious script in a parameter that the plugin does not escape before including it in the page. When a user visits the link or the site renders the widget, the injected script executes in the victim’s browser, enabling defacement, cookie theft, session hijacking, or redirection to phishing sites. This flaw exists because the Universal Video Player plugin fails to properly escape all user‑supplied data before outputting it, a weakness identified as CWE‑79.

All WordPress installations that contain the Universal Video Player plugin by LambertGroup, versions from the earliest available revision through any release up to and including 1.4.0, are affected. The plugin renders video widgets via an Elementor widget and does not escape user input in certain query parameters.

The reported CVSS score of 7.1 indicates a high severity for the vulnerability. The EPSS score of <1% suggests a low exploitation probability at this time, and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, attackers could exploit the flaw with a simple crafted URL or by embedding the payload in a widget that users view. A successful exploit would give attackers the ability to run arbitrary client‑side scripts. The actual impact depends on the victim’s privileges and the location of the injected code, but it can lead to major confidentiality and integrity breaches for end users of the site.