The vulnerability lies in improper input sanitization when generating a web page through the ilGhera Related Videos for JW Player plugin. It permits attackers to embed malicious JavaScript in a crafted URL that is reflected back into the page, enabling arbitrary script execution. When a site visitor follows such a link, the script runs in the context of the WordPress site, potentially stealing session cookies, hijacking accounts, defacing pages, or redirecting users to phishing sites. The impact is limited to the victim’s browser session but can compromise user credentials and trust in the site.

WordPress users running ilGhera’s Related Videos for JW Player plugin version 1.2.0 or older are affected. The vendor is ilGhera and the affected product is the Related Videos for JW Player plugin. No specific sub‑versions are listed beyond the cutoff of 1.2.0, so any release equal to or below that number is vulnerable.

The CVSS score of 7.1 indicates moderate to high severity. Because the EPSS score is less than 1%, the likelihood of public exploitation is low. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to convince a victim to visit a maliciously crafted URL that includes the reflected XSS payload; hence the attack vector is client‑side. Exploitation requires no special privileges on the server and depends on user engagement with the link.