Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AnyClip Video Platform AnyClip Luminous Studio anyclip-media allows Stored XSS.This issue affects AnyClip Luminous Studio: from n/a through <= 1.3.3.
Published: 2025-09-22
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation, allowing an attacker to store malicious script payloads in the WordPress AnyClip Luminous Studio plugin. When a victim views the affected content, the injected script executes in the victim's browser, enabling session hijacking, defacement, or the delivery of additional malware. The weakness is a stored XSS flaw and is categorized as CWE‑79.

Affected Systems

AnyClip Luminous Studio, a plugin for WordPress, is affected in all releases up to and including version 1.3.3. The issue is present in the anyclip‑media component, which is commonly used within WordPress sites that host video content.

Risk and Exploitability

The CVSS base score of 5.9 indicates a medium impact, and the EPSS score of less than 1% means the likelihood of exploitation in the wild is low. The vulnerability is not listed in the CISA KEV catalog, and no public exploit has been documented. A likely attack vector involves an adversary submitting malicious content through the plugin’s storage features, which is then rendered on the site for all users.

Generated by OpenCVE AI on April 30, 2026 at 01:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the AnyClip Luminous Studio plugin to the latest release that addresses the XSS issue.
  • If an update is not available, permanently disable or remove the plugin from the WordPress installation to eliminate the vulnerability surface.
  • Audit all stored content for injected scripts, clean any malicious payloads, and implement a content review process to prevent future code injection.

Generated by OpenCVE AI on April 30, 2026 at 01:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30544 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AnyClip Video Platform AnyClip Luminous Studio allows Stored XSS. This issue affects AnyClip Luminous Studio: from n/a through 1.3.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AnyClip Video Platform AnyClip Luminous Studio allows Stored XSS. This issue affects AnyClip Luminous Studio: from n/a through 1.3.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AnyClip Video Platform AnyClip Luminous Studio anyclip-media allows Stored XSS.This issue affects AnyClip Luminous Studio: from n/a through <= 1.3.3.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 23 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AnyClip Video Platform AnyClip Luminous Studio allows Stored XSS. This issue affects AnyClip Luminous Studio: from n/a through 1.3.3.
Title WordPress AnyClip Luminous Studio Plugin <= 1.3.3 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T01:00:11.157Z

Reserved: 2025-08-27T16:20:02.776Z

Link: CVE-2025-58271

cve-icon Vulnrichment

Updated: 2025-09-23T13:59:09.270Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:14.050

Modified: 2026-04-23T15:33:25.460

Link: CVE-2025-58271

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T01:45:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')