Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup HTML5 Video Player with Playlist & Multiple Skins lbg-vp2-html5-rightside allows Reflected XSS.This issue affects HTML5 Video Player with Playlist & Multiple Skins: from n/a through <= 5.3.5.
Published: 2026-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw originates from improper neutralization of user-supplied input during web page generation, which allows reflected cross-site scripting in the WordPress plugin. The vulnerability is classified as CWE-79.

Affected Systems

LambertGroup’s HTML5 Video Player with Playlist & Multiple Skins plugin, affecting all releases from the initial deployment up to and including version 5.3.5.

Risk and Exploitability

The CVSS score of 7.1 signals a moderate-to-high severity. The EPSS score of less than 1 percent indicates a very low likelihood of active exploitation. The vulnerability is not listed in the CISA KEV catalog. The description indicates that the flaw results from improper neutralization of user-supplied input, enabling reflected cross-site scripting when a victim’s browser renders the affected page. The exact conditions required for exploitation are not fully detailed, but the vulnerability is likely exploitable via crafted URLs or input that is reflected in the page.

Generated by OpenCVE AI on May 2, 2026 at 00:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the HTML5 Video Player with Playlist & Multiple Skins plugin to v5.3.6 or later to eliminate the reflected XSS flaw.
  • If an upgrade is not immediately possible, restrict the plugin’s usage to administrators or disable its video-embedding features for non-admin users to prevent untrusted input from being processed.
  • Implement a site-wide web application firewall rule or security plugin that sanitizes all input parameters related to the plugin, ensuring that script tags and dangerous attributes are removed before rendering.

Generated by OpenCVE AI on May 2, 2026 at 00:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 26 Jan 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup HTML5 Video Player with Playlist & Multiple Skins lbg-vp2-html5-rightside allows Reflected XSS.This issue affects HTML5 Video Player with Playlist & Multiple Skins: from n/a through <= 5.3.5.
Title WordPress HTML5 Video Player with Playlist & Multiple Skins plugin <= 5.3.5 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:16.772Z

Reserved: 2025-04-04T10:00:34.177Z

Link: CVE-2025-32123

cve-icon Vulnrichment

Updated: 2026-01-26T22:01:59.367Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:15:54.287

Modified: 2026-06-17T09:11:28.693

Link: CVE-2025-32123

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:00:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')