Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Youtube Vimeo Video Player and Slider WP Plugin video-player-youtube-vimeo allows Reflected XSS.This issue affects Youtube Vimeo Video Player and Slider WP Plugin: from n/a through <= 3.8.
Published: 2025-08-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an improper neutralization of user input that permits reflected cross‑site scripting in the LambertGroup Youtube Vimeo Video Player and Slider WP Plugin. An attacker can craft a malicious URL or input that, when processed by the plugin, injects arbitrary JavaScript into the browser of a user who views the page. The vulnerability is rated CVSS 7.1 and matches CWE‑79, indicating the risk of untrusted data influencing page rendering, which can lead to credential theft, defacement, or other client‑side exploits. The impact is limited to the session of the victim user but can affect multiple visitors if the page is widely shared.

Affected Systems

Vendors and products targeted are LambertGroup’s Youtube Vimeo Video Player and Slider WP Plugin. All releases up to and including version 3.8 are affected; no further sub‑versions are listed.

Risk and Exploitability

Because the vulnerability is reflected, an attacker must first lure a victim to a manipulated URL or form field; no authentication or privileged access is required. The EPSS score is below 1%, suggesting that widespread exploitation is currently unlikely, and the vulnerability is not included in CISA’s Known Exploited Vulnerabilities catalog. Nonetheless, the CVSS of 7.1 signals moderate severity, and the attack vector is via user interaction, making vigilance and timely patching important.

Generated by OpenCVE AI on April 30, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to version 3.9 or later, which contains the fix for the XSS issue.
  • Disable the plugin until the v3.9 update is applied to prevent potential exploitation.
  • Implement a temporary output sanitization measure to escape any user‑supplied data before rendering within the plugin’s output.

Generated by OpenCVE AI on April 30, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25282 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Youtube Vimeo Video Player and Slider WP Plugin allows Reflected XSS. This issue affects Youtube Vimeo Video Player and Slider WP Plugin: from n/a through 3.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Youtube Vimeo Video Player and Slider WP Plugin allows Reflected XSS. This issue affects Youtube Vimeo Video Player and Slider WP Plugin: from n/a through 3.8. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Youtube Vimeo Video Player and Slider WP Plugin video-player-youtube-vimeo allows Reflected XSS.This issue affects Youtube Vimeo Video Player and Slider WP Plugin: from n/a through <= 3.8.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 21 Aug 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 20 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Youtube Vimeo Video Player and Slider WP Plugin allows Reflected XSS. This issue affects Youtube Vimeo Video Player and Slider WP Plugin: from n/a through 3.8.
Title WordPress Youtube Vimeo Video Player and Slider WP Plugin <= 3.8 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:52.861Z

Reserved: 2025-05-15T18:02:03.511Z

Link: CVE-2025-48159

cve-icon Vulnrichment

Updated: 2025-08-20T13:53:02.977Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T08:15:31.703

Modified: 2026-04-23T15:30:54.347

Link: CVE-2025-48159

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T16:00:13Z

Weaknesses