Description
The Media Player Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subtitle_ssize', 'track_title', and 'track_artist_name' parameters in version 1.0.5. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-09-17
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The Media Player Addons for Elementor plugin for WordPress is vulnerable to stored cross‑site scripting because certain widget attributes—subtitle_ssize, track_title, and track_artist_name—are neither sanitized nor properly escaped. This weakness allows authenticated contributors or higher to inject arbitrary HTML or JavaScript into pages that display the affected widget. An attacker could then execute malicious scripts in the context of any visitor to the site, potentially defacing content, stealing session cookies, or executing other client‑side attacks. The flaw is a classic input validation and output encoding problem identified as CWE‑79.

Affected Systems

The vulnerable software is the Media Player Addons for Elementor – Audio and Video Widgets for Elementor plugin for WordPress. All releases up to and including version one point zero point five contain the flaw; users of earlier versions are also affected.

Risk and Exploitability

The CVSS score of 6.4 classifies the issue as medium severity. The EPSS score of less than 1% indicates a low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. However, the required attacker privilege is only contributor‑level or higher, which is difficult to obtain for an external attacker but realistic for a disgruntled or compromised internal user. If exploited, the impact could enable persistent client‑side attacks, defacement, or credential theft on the site.

Generated by OpenCVE AI on April 22, 2026 at 14:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Media Player Addons for Elementor plugin to a version newer than 1.0.5, if one is available.
  • If an update cannot be applied immediately, remove or disable the widget fields that accept subtitle_ssize, track_title, and track_artist_name, or ensure they are properly sanitized and escaped using WordPress escape routines.
  • Limit contributor‑level access to trusted users only and consider using a stricter role hierarchy or additional access control checks to reduce the risk of abuse.

Generated by OpenCVE AI on April 22, 2026 at 14:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-29694 The Media Player Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subtitle_ssize', 'track_title', and 'track_artist_name' parameters in version 1.0.5. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 17 Sep 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Sep 2025 06:45:00 +0000

Type Values Removed Values Added
Description The Media Player Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subtitle_ssize', 'track_title', and 'track_artist_name' parameters in version 1.0.5. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Media Player Addons for Elementor <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widget Fields
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:35:57.655Z

Reserved: 2025-08-19T17:43:22.904Z

Link: CVE-2025-9203

cve-icon Vulnrichment

Updated: 2025-09-17T12:52:29.513Z

cve-icon NVD

Status : Deferred

Published: 2025-09-17T07:15:42.083

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9203

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T14:30:18Z

Weaknesses