Description
The VideoZen plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.0.1. This is due to insufficient input sanitization and output escaping in the videozen_conf() function. The 'lang' POST parameter is stored directly via update_option() without any sanitization, and later echoed inside a <textarea> element without applying esc_textarea() or any equivalent escaping function. This makes it possible for authenticated attackers with Administrator-level access and above to inject arbitrary web scripts into the plugin settings page that will execute whenever any user accesses that page.
Published: 2026-04-17
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw caused by the videozen_conf() function that accepts a POST parameter named "lang" and saves it directly to a WordPress option without any sanitization. When the value is later output inside a textarea element on the plugin settings page, the content is rendered as raw HTML, allowing an attacker to inject custom JavaScript. Users who view the settings page will then execute the embedded script, potentially enabling session hijacking, defacement, or malicious redirects. This flaw is classified as CWE‑79 and requires the attacker to have Administrator or higher privileges to use the vulnerable form.

Affected Systems

Theffected system is the WordPress plugin VideoZen from vendor jconti. The flaw exists in all versions up to and including 1.0.1. Any WordPress site that has installed this plugin and permits admin‑level users to modify the "VideoZen available subtitles languages" field is impacted.

Risk and Exploitability

The CVSS base score is 4.4, indicating medium‑low severity. No EPSS score is published, and the vulnerability is not currently listed in the CISA KEV catalog. Because the attack requires authentication and administrative access to the plugin’s settings page, it is not exploitable by unauthenticated actors. Nevertheless, within an environment where an attacker gains administrator rights—such as through credential compromise or social engineering—the vulnerability can be leveraged to execute arbitrary scripts with the privileges of any visitor to the settings page. The risk is considered significant for compromised sites, while the likelihood of exploitation outside such conditions is low.

Generated by OpenCVE AI on April 17, 2026 at 10:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update VideoZen to a version newer than 1.0.1 in which the 'lang' option is properly sanitized and output escaped.
  • If an update is not feasible immediately, disable or remove the "VideoZen available subtitles languages" configuration from the plugin settings to prevent the vulnerable POST parameter from being stored.
  • Configure a web application firewall to block or log attempts to submit script‑laden content to the "lang" field, and monitor server logs for suspicious activity.

Generated by OpenCVE AI on April 17, 2026 at 10:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description The VideoZen plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.0.1. This is due to insufficient input sanitization and output escaping in the videozen_conf() function. The 'lang' POST parameter is stored directly via update_option() without any sanitization, and later echoed inside a <textarea> element without applying esc_textarea() or any equivalent escaping function. This makes it possible for authenticated attackers with Administrator-level access and above to inject arbitrary web scripts into the plugin settings page that will execute whenever any user accesses that page.
Title VideoZen <= 1.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'VideoZen available subtitles languages' Field
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-17T08:28:26.200Z

Reserved: 2026-04-16T18:09:59.771Z

Link: CVE-2026-6439

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-17T09:16:05.447

Modified: 2026-04-17T09:16:05.447

Link: CVE-2026-6439

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T10:30:12Z

Weaknesses