Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8bitkid Yahoo! WebPlayer yahoo-media-player allows Reflected XSS.This issue affects Yahoo! WebPlayer: from n/a through <= 2.0.6.
Published: 2025-08-28
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an instance of improper neutralization of input during web page generation, allowing attackers to inject malicious scripts that will be executed by a visitor’s browser. If an attacker can craft a request that the plugin reflects into a page, they could steal session cookies, deface the site, or redirect users to malicious sites. The weakness is a classic reflected XSS flaw (CWE‑79).

Affected Systems

This flaw affects versions of the WordPress Yahoo! WebPlayer plugin from the earliest release up to and including 2.0.6, which is distributed by the 8bitkid developer. Any WordPress installation that has this plugin installed and has not applied the latest patch is susceptible.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, and while the EPSS score is <1%, the attack vector is likely reflected, requiring only a crafted URL or input that the plugin will echo. The vulnerability is not listed in the CISA KEV catalog. Attackers with the ability to influence user input or links can exploit the flaw, potentially leading to credential theft and site compromise.

Generated by OpenCVE AI on April 30, 2026 at 07:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Yahoo! WebPlayer plugin to version 2.0.7 or later, which patches the XSS flaw.
  • If an upgrade cannot be performed immediately, deactivate or remove the plugin from the site to eliminate the vulnerable code path.
  • Apply a web‑application firewall or client‑side filtering that blocks suspicious script payloads, and ensure that all input from users is properly sanitized before rendering.

Generated by OpenCVE AI on April 30, 2026 at 07:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26005 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8bitkid Yahoo! WebPlayer allows Reflected XSS. This issue affects Yahoo! WebPlayer: from n/a through 2.0.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8bitkid Yahoo! WebPlayer allows Reflected XSS. This issue affects Yahoo! WebPlayer: from n/a through 2.0.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8bitkid Yahoo! WebPlayer yahoo-media-player allows Reflected XSS.This issue affects Yahoo! WebPlayer: from n/a through <= 2.0.6.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 28 Aug 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 28 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8bitkid Yahoo! WebPlayer allows Reflected XSS. This issue affects Yahoo! WebPlayer: from n/a through 2.0.6.
Title WordPress Yahoo! WebPlayer Plugin <= 2.0.6 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:21.039Z

Reserved: 2025-06-27T10:27:53.889Z

Link: CVE-2025-53215

cve-icon Vulnrichment

Updated: 2025-08-28T18:43:21.260Z

cve-icon NVD

Status : Deferred

Published: 2025-08-28T13:16:00.703

Modified: 2026-04-23T15:32:18.360

Link: CVE-2025-53215

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T07:45:26Z

Weaknesses