This vulnerability results from improper neutralization of user supplied input when generating a WordPress page, allowing attackers to embed malicious script code that is reflected back to the victim’s browser. The weakness falls under cross‑site scripting and can be exploited to steal session cookies, hijack user accounts, display counterfeit content, or redirect users to phishing sites. The impact is degradation of user confidentiality and integrity, potentially leading to credential compromise or defacement of the site. The flaw is classified as CWE‑79.

All sites running LambertGroup Universal Video Player - Addon for WPBakery Page Builder on WordPress that are at or below version 3.2.1 are vulnerable. The plugin integrates with the WPBakery Page Builder and is activated via the WordPress theme or plugin interface.

The CVSS score of 7.1 signifies a high severity risk, while the EPSS score of less than 1% indicates that, at the time of analysis, the probability of exploitation in the wild is low. The flaw is not listed in the CISA KEV catalog. Attackers can exploit this reflected XSS by crafting a malicious link or form input that the plugin improperly sanitizes, leading the victim’s browser to execute injected script when the malicious data is rendered. Successful exploitation requires only that a user view the manipulated page; no administrative privileges are needed.