Description
The Able Player, accessible HTML5 media player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘preload’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2025-46475 may be a duplicate of this.
Published: 2025-04-25
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that enables arbitrary script execution on pages viewed by users
Action: Immediate Update
AI Analysis

Impact

The Able Player plugin for WordPress contains a stored cross‑site scripting flaw in the ‘preload’ parameter. Because the plugin does not properly sanitize or escape the value, authenticated users with Contributor-level access can inject arbitrary web scripts. When users later view the affected page, those scripts run in the context of the website, allowing the attacker to steal session data, deface content, or perform other malicious actions.

Affected Systems

Able Player, an accessible HTML5 media player plugin developed by joedolson, is affected for all WordPress versions up to and including 1.2.1. Any installation of Able Player in those releases carries the vulnerability.

Risk and Exploitability

The evaluation assigns a CVSS score of 6.4, indicating a medium severity vulnerability that does not require network‑only exploits but can be triggered from within the WordPress environment. With an EPSS score of less than 1 % and the vulnerability not listed in CISA KEV, exploitation is not highly probable in the wild, yet authenticated contributors can still use it to inject scripts. Attackers would need access to the WordPress backend and permissions at Contributor level or higher; once injected, the stored payload is delivered to all subsequent page loads for any user who views the page.

Generated by OpenCVE AI on April 21, 2026 at 21:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Able Player plugin to version 1.2.2 or later, which contains fixes that properly sanitize the preload parameter.
  • If an upgrade cannot be applied immediately, restrict the Contributor role and any roles with equivalent permissions so that only trusted users can edit media items.
  • Search the database for stored ‘preload’ values that contain code and remove or sanitize any injected scripts, then perform a site‑wide scan to ensure no remaining malicious payloads are present.

Generated by OpenCVE AI on April 21, 2026 at 21:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12402 The Able Player, accessible HTML5 media player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘preload’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Able Player, accessible HTML5 media player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘preload’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The Able Player, accessible HTML5 media player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘preload’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2025-46475 may be a duplicate of this.

Fri, 25 Apr 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 25 Apr 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Able Player, accessible HTML5 media player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘preload’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Able Player, accessible HTML5 media player <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via preload Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:04:39.477Z

Reserved: 2025-04-16T21:29:18.314Z

Link: CVE-2025-3752

cve-icon Vulnrichment

Updated: 2025-04-25T19:24:52.751Z

cve-icon NVD

Status : Deferred

Published: 2025-04-25T05:15:32.830

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3752

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:15:45Z

Weaknesses