Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AnyClip Video Platform AnyClip Luminous Studio anyclip-media allows Stored XSS.This issue affects AnyClip Luminous Studio: from n/a through <= 1.3.3.
Published: 2025-09-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation allows attackers to store malicious JavaScript in media objects created by AnyClip Luminous Studio. When affected content is viewed, the stored script is rendered by the victim’s browser, which can execute arbitrary code. This creates the potential for unauthorized access to session data, defacement of content, or other unintended browser actions. The vulnerability is classified as a stored XSS flaw (CWE‑79).

Affected Systems

AnyClip Video Platform’s AnyClip Luminous Studio plugin versions up to and including 1.3.3 are vulnerable. The plugin runs inside WordPress and saves user‑supplied media metadata that is later displayed without proper escaping.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium level of risk, while the EPSS score of < 1 % reflects a low likelihood of exploitation at present. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation would rely on an attacker’s ability to inject content that is stored by the plugin and subsequently rendered in browsers of users who view the affected media. No specific attack vector, privilege requirement, or additional prerequisites are detailed in the CVE data.

Generated by OpenCVE AI on April 30, 2026 at 06:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the AnyClip Luminous Studio plugin to the latest non‑vulnerable version provided by the vendor.
  • If an upgrade is not possible, disable or uninstall the plugin to remove the attack surface.
  • As a temporary measure, configure WordPress or a web application firewall to strip or block script tags from media descriptions to prevent stored scripts from being executed.

Generated by OpenCVE AI on April 30, 2026 at 06:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30720 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AnyClip Video Platform AnyClip Luminous Studio allows Stored XSS. This issue affects AnyClip Luminous Studio: from n/a through 1.3.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AnyClip Video Platform AnyClip Luminous Studio allows Stored XSS. This issue affects AnyClip Luminous Studio: from n/a through 1.3.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AnyClip Video Platform AnyClip Luminous Studio anyclip-media allows Stored XSS.This issue affects AnyClip Luminous Studio: from n/a through <= 1.3.3.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 23 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Sep 2025 18:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AnyClip Video Platform AnyClip Luminous Studio allows Stored XSS. This issue affects AnyClip Luminous Studio: from n/a through 1.3.3.
Title WordPress AnyClip Luminous Studio Plugin <= 1.3.3 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:37.929Z

Reserved: 2025-08-22T11:36:00.588Z

Link: CVE-2025-57910

cve-icon Vulnrichment

Updated: 2025-09-23T14:04:26.015Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:15:47.123

Modified: 2026-04-23T15:32:59.843

Link: CVE-2025-57910

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T06:30:29Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')