The Video List Manager plugin suffers from an improper neutralization of input during web page generation. Stored cross–site scripting allows attackers to inject arbitrary JavaScript that is executed in the browsers of users who view the affected pages. This weakness (CWE-79) can lead to phishing, credential theft, or the execution of malicious code within the victim’s environment.

The affected vendor is thanhtungtnt and the product is the Video List Manager plugin. Any installation of the plugin version 1.7 or earlier is potentially vulnerable. In the absence of more granular version data, all releases up to and including 1.7 are considered affected.

The CVSS score of 7.1 indicates a high severity vulnerability. The EPSS score is below 1 %, suggesting that exploit attempts are unlikely at present. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is through the plugin’s input fields or list editing interface, where an attacker can store malicious payloads that are later rendered on pages accessed by other users. The attack requires the ability to create or modify video list entries; if the site allows anonymous posting, the risk would be higher, but if only administrators can edit, the threat is still significant due to the stored nature of the payload.