Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Universal Video Player - Addon for WPBakery Page Builder lbg_universal_video_player_addon_visual_composer allows Reflected XSS.This issue affects Universal Video Player - Addon for WPBakery Page Builder: from n/a through <= 3.2.1.
Published: 2025-08-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an instance of improper neutralization of input during web page generation, allowing attackers to trigger reflected cross‑site scripting. This flaw can enable the injection of arbitrary JavaScript into the pages rendered by the plugin, which may lead to session hijacking, credential theft, defacement, or the execution of malicious scripts under the victim’s user context. The weakness is classified as CWE‑79, representing unsafe handling of user‑supplied data during output generation.

Affected Systems

The affected product is LambertGroup Universal Video Player – Addon for WPBakery Page Builder, version 3.2.1 and earlier. WordPress installations that have not upgraded beyond 3.2.1 and are still using the WPBakery Page Builder framework are susceptible to this flaw.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity rating, yet the EPSS score is less than 1%, suggesting a low likelihood of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Attackers can trigger the reflected XSS by crafting a malicious URL or form input that the plugin accepts and reflects back to the browser, typically requiring the victim to visit the injected link or page. Persistence is limited and no elevation of privilege is necessary, but the impact can be significant if the victim is an authenticated user.

Generated by OpenCVE AI on April 30, 2026 at 15:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Universal Video Player – Addon for WPBakery Page Builder to the latest patch or a version later than 3.2.1 if available.
  • If an update is not applicable, completely remove or deactivate the plugin from the WordPress installation.
  • Configure a web application firewall or implement a strict Content Security Policy to block or escape injected scripts and mitigate reflected XSS attacks.

Generated by OpenCVE AI on April 30, 2026 at 15:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28531 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Universal Video Player - Addon for WPBakery Page Builder allows Reflected XSS. This issue affects Universal Video Player - Addon for WPBakery Page Builder: from n/a through 3.2.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Universal Video Player - Addon for WPBakery Page Builder allows Reflected XSS. This issue affects Universal Video Player - Addon for WPBakery Page Builder: from n/a through 3.2.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Universal Video Player - Addon for WPBakery Page Builder lbg_universal_video_player_addon_visual_composer allows Reflected XSS.This issue affects Universal Video Player - Addon for WPBakery Page Builder: from n/a through <= 3.2.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 20 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Universal Video Player - Addon for WPBakery Page Builder allows Reflected XSS. This issue affects Universal Video Player - Addon for WPBakery Page Builder: from n/a through 3.2.1.
Title WordPress Universal Video Player - Addon for WPBakery Page Builder <= 3.2.1 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-13T00:05:50.841Z

Reserved: 2025-07-03T14:50:56.330Z

Link: CVE-2025-53562

cve-icon Vulnrichment

Updated: 2025-08-20T14:09:24.252Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T08:15:42.537

Modified: 2026-04-23T15:32:35.840

Link: CVE-2025-53562

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T16:00:13Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')