Description
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Aviplugins Videos allows Reflected XSS.This issue affects Videos: from n/a through 1.0.5.
Published: 2025-04-04
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of script-related HTML tags in the Aviplugins Videos WordPress plugin allows attackers to inject malicious scripts via reflected XSS. The weakness, identified as CWE-80, can enable an attacker to execute arbitrary JavaScript in a user's browser when a crafted URL or input is processed by the plugin, potentially leading to data theft, session hijacking, or defacement.

Affected Systems

The vulnerability affects the Aviplugins Videos WordPress plugin for all releases up to and including version 1.0.5, with no explicitly lower bound specified. Any WordPress site running this plugin within that version range is susceptible.

Risk and Exploitability

With a CVSS score of 7.1, the issue represents moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. However, exploitation is possible through standard web requests that echo unsanitized user input, making the attack vector likely remote via the public network.

Generated by OpenCVE AI on May 1, 2026 at 11:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Aviplugins Videos plugin to the latest stable release (>=1.0.6) when it becomes available on the WordPress repository or via the plugin’s official source.
  • If an update is not immediately available, disable the plugin on public‑facing pages or remove it entirely, restricting its functionality until the patch is deployed.
  • Implement a Web Application Firewall rule or employ output sanitization to strip or encode script tags from user input before rendering them, thereby mitigating the reflected XSS vulnerability.

Generated by OpenCVE AI on May 1, 2026 at 11:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9746 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Aviplugins Videos allows Reflected XSS.This issue affects Videos: from n/a through 1.0.5.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Aviplugins Videos videos allows Reflected XSS.This issue affects Videos: from n/a through <= 1.0.5. Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Aviplugins Videos allows Reflected XSS.This issue affects Videos: from n/a through 1.0.5.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Aviplugins Videos allows Reflected XSS.This issue affects Videos: from n/a through 1.0.5. Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Aviplugins Videos videos allows Reflected XSS.This issue affects Videos: from n/a through <= 1.0.5.
References

Fri, 04 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 14:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Aviplugins Videos allows Reflected XSS.This issue affects Videos: from n/a through 1.0.5.
Title WordPress Videos plugin <= 1.0.5 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-80
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:05.570Z

Reserved: 2025-03-28T10:59:17.384Z

Link: CVE-2025-31384

cve-icon Vulnrichment

Updated: 2025-04-04T14:25:51.968Z

cve-icon NVD

Status : Deferred

Published: 2025-04-04T14:15:22.780

Modified: 2026-04-28T19:31:00.200

Link: CVE-2025-31384

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T11:30:15Z

Weaknesses