Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nicashmu Post Video Players video-playlist-and-gallery-plugin allows Stored XSS.This issue affects Post Video Players: from n/a through <= 1.163.
Published: 2025-12-31
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation in the nicashmu Post Video Players plugin. Stored malicious scripts can be injected through the plugin’s input fields and later rendered by the web application. An attacker who successfully submits such content can have the script executed in the browsers of any visitors who load the affected page, leading to session hijacking, credential theft, defacement, or delivery of additional malware. This is a moderate‑severity XSS flaw classified as CWE‑79.

Affected Systems

WordPress sites that have the nicashmu Post Video Players plugin installed, specifically any release from the initial version through version 1.163 inclusive. The plugin is distributed under the name Post Video Players and is deployed on WordPress installations of any edition. No specific WordPress core or theme version is mentioned, so all WordPress hosts using the affected plugin are potentially vulnerable.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate impact. The EPSS score of less than 1% suggests that exploitation in the wild is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. However, the attack vector is inferred to be a stored XSS that exploits form or content input within the plugin; any user with permission to add or edit media or gallery entries can create the malicious payload. If the plugin is used on public sites where all visitors can view the stored content, the risk of widespread compromise increases. Prompt patching is therefore recommended to mitigate potential abuse.

Generated by OpenCVE AI on April 29, 2026 at 18:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the nicashmu Post Video Players plugin to version 1.164 or later.
  • If an upgrade is not immediately feasible, disable the plugin or restrict its use to trusted administrators and block execution of uploaded media through a web application firewall.
  • Conduct an audit of any stored scripts or user‑generated content from the plugin and sanitize or remove malicious entries.

Generated by OpenCVE AI on April 29, 2026 at 18:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nicashmu Cincopa video and media plugin allows Stored XSS.This issue affects Cincopa video and media plug-in: from n/a through 1.163. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nicashmu Post Video Players video-playlist-and-gallery-plugin allows Stored XSS.This issue affects Post Video Players: from n/a through <= 1.163.
Title WordPress Cincopa video and media plug-in plugin <= 1.163 - Cross Site Scripting (XSS) vulnerability WordPress Post Video Players plugin <= 1.163 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Cincopa
Cincopa video And Media Plug-in
Wordpress
Wordpress wordpress
Vendors & Products Cincopa
Cincopa video And Media Plug-in
Wordpress
Wordpress wordpress

Wed, 31 Dec 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 31 Dec 2025 13:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nicashmu Cincopa video and media plugin allows Stored XSS.This issue affects Cincopa video and media plug-in: from n/a through 1.163.
Title WordPress Cincopa video and media plug-in plugin <= 1.163 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Cincopa Video And Media Plug-in
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:02.966Z

Reserved: 2025-10-07T15:41:47.138Z

Link: CVE-2025-62142

cve-icon Vulnrichment

Updated: 2025-12-31T13:40:18.827Z

cve-icon NVD

Status : Deferred

Published: 2025-12-31T14:15:53.500

Modified: 2026-04-23T15:34:37.203

Link: CVE-2025-62142

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T18:15:17Z

Weaknesses