Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Universal Video Player universal_video_player allows Reflected XSS.This issue affects Universal Video Player: from n/a through <= 3.8.3.
Published: 2025-06-09
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input in the Universal Video Player plugin allows an attacker to inject malicious JavaScript that is reflected back in the web page. The injected script executes in the context of any visitor’s browser, enabling session hijacking, defacement, or the delivery of further payloads. The flaw is a classic reflected XSS weakness (CWE‑79).

Affected Systems

The vulnerability affects all installations of the Universal Video Player plugin from its earliest releases through version 3.8.3. The plugin is distributed by LambertGroup. Any WordPress site that has this plugin installed and has been configured to accept user input for its video or audio settings is potentially impacted.

Risk and Exploitability

With a CVSS score of 7.1 the flaw is considered high severity. The EPSS score is less than 1 %, indicating that large‑scale exploitation is unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires only a crafted URL or form submission that a victim clicks or submits, so no privileged access is needed. An attacker can compromise the browser session of any user who views the compromised page.

Generated by OpenCVE AI on April 30, 2026 at 17:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Universal Video Player to 3.8.4 or later, removing the unsanitized input handling.
  • If an upgrade is not immediately possible, disable the plugin or the configuration feature that accepts untrusted input.
  • Implement a Web Application Firewall rule to block or sanitize the vulnerable request parameters and filter out injected JavaScript before rendering.

Generated by OpenCVE AI on April 30, 2026 at 17:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17505 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Universal Video Player allows Reflected XSS. This issue affects Universal Video Player: from n/a through 3.8.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Universal Video Player allows Reflected XSS. This issue affects Universal Video Player: from n/a through 3.8.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Universal Video Player universal_video_player allows Reflected XSS.This issue affects Universal Video Player: from n/a through <= 3.8.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00036}

 epss

{'score': 0.00039}

Tue, 10 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Universal Video Player allows Reflected XSS. This issue affects Universal Video Player: from n/a through 3.8.3.
Title WordPress Universal Video Player plugin <= 3.8.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:16.154Z

Reserved: 2025-04-01T13:21:47.739Z

Link: CVE-2025-31917

cve-icon Vulnrichment

Updated: 2025-06-10T13:35:40.807Z

cve-icon NVD

Status : Deferred

Published: 2025-06-09T16:15:39.030

Modified: 2026-04-23T15:28:32.780

Link: CVE-2025-31917

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T18:00:14Z

Weaknesses