This vulnerability arises from improper neutralization of input during web page generation, allowing a reflected XSS attack. If exploited, an attacker could inject arbitrary JavaScript into the page viewed by the victim, enabling session hijacking, defacement, or delivery of malware on the client side. The weakness is a classic input validation failure (CWE‑79).

The flaw affects the WordPress plugin Elite Video Player from CreativeMedia, specifically all installed versions from the earliest release up to and including version 10.0.5. Users running those versions are susceptible unless the plugin is updated or removed.

The CVSS score of 7.1 indicates high impact potential. The EPSS score of less than 1% denotes a low current probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, the attack can be executed remotely by crafting a URL that passes malicious input to the plugin, which is then reflected back to the user’s browser. The typical vector is a reflected XSS triggered by an unauthenticated or authenticated user clicking a link in email or a compromised webpage. Given the low EPSS, the likelihood of widespread attacks today is limited, but the existence of the flaw still represents a significant security risk for affected installations.