CVE-2026-9125 - Vulnerability Details

Description

The Presto Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link_url' parameter of the [presto_player_overlay] shortcode in versions up to, and including, 4.2.0 This is due to insufficient input sanitization and output escaping in the getOverlays() function, which copies the link_url shortcode attribute directly into the overlay configuration without scheme validation, allowing javascript: URIs to survive and be rendered as the href of a clickable anchor element by the presto-dynamic-overlay-ui web component. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: 2026-06-12

Score: 6.4 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Presto Player plugin allows an authenticated user with contributor or higher privileges to embed a [presto_player_overlay] shortcode that contains an unchecked 'link_url' attribute. When the plugin renders the overlay, the raw value of 'link_url' is inserted into an anchor tag without validating the URI scheme, permitting javascript: URLs. This enables the attacker to inject and execute arbitrary JavaScript whenever a page containing the malicious overlay is loaded by any visitor, resulting in a classic client‑side code execution flaw (CWE‑79).

Affected Systems

The vulnerability affects the WordPress plugin Presto Player developed by 2winfactor. All releases up to and including version 4.2.0 are affected. Any WordPress installation using these versions of the plugin is potentially compromised.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity. Although no EPSS score is available, the known attack pattern requires authenticated editor-level access and the ability to insert or edit shortcodes, a privilege that is common in many sites. The flaw is not listed in CISA’s KEV catalog, suggesting that there have been no public exploit releases yet, but the technique is straightforward and could be leveraged for phishing or data theft if an attacker gains contributor access. The primary vector is through the plugin’s shortcode processing path and the lack of scheme validation in the overlay configuration.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

2winfactor

Presto Player

unaffected

Version	Status	Constraints
`0`	affected	≤ 4.2.0

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Presto Player plugin to the latest version that contains the XSS fix, removing the vulnerable shortcode handling logic
If an immediate upgrade is not possible, remove or disable the contributor role from editing content that can include the [presto_player_overlay] shortcode, thereby preventing the injection of malicious link URLs
As a temporary workaround, apply server‑side or client‑side filtering to strip javascript: schemes from any link_url values before they are rendered within the page

Generated by OpenCVE AI on June 12, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/presto-player/tags/4.1.1/dist/components/collection/components/core/features/presto-dynamic-overlays/component/presto-dynamic-overlays.js#L1
https://plugins.trac.wordpress.org/browser/presto-player/tags/4.1.1/inc/Services/Shortcodes.php#L464
https://plugins.trac.wordpress.org/browser/presto-player/tags/4.1.1/inc/Services/Shortcodes.php#L513
https://plugins.trac.wordpress.org/browser/presto-player/tags/4.1.1/templates/video.php#L16
https://plugins.trac.wordpress.org/browser/presto-player/tags/4.1.4/dist/components/collection/components/core/features/presto-dynamic-overlays/component/presto-dynamic-overlays.js#L1
https://plugins.trac.wordpress.org/browser/presto-player/tags/4.1.4/inc/Services/Shortcodes.php#L464
https://plugins.trac.wordpress.org/browser/presto-player/tags/4.1.4/inc/Services/Shortcodes.php#L513
https://plugins.trac.wordpress.org/browser/presto-player/tags/4.1.4/templates/video.php#L16
https://plugins.trac.wordpress.org/changeset/3553268/presto-player/trunk/inc/Services/Shortcodes.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/c87e7f50-f14a-4751-abcb-3a5bdd214889?source=cve

History

Fri, 12 Jun 2026 02:15:00 +0000

Type	Values Removed	Values Added
Description		The Presto Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link_url' parameter of the [presto_player_overlay] shortcode in versions up to, and including, 4.2.0 This is due to insufficient input sanitization and output escaping in the getOverlays() function, which copies the link_url shortcode attribute directly into the overlay configuration without scheme validation, allowing javascript: URIs to survive and be rendered as the href of a clickable anchor element by the presto-dynamic-overlay-ui web component. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title		The Ultimate Video Player For WordPress <= 4.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'link_url' Shortcode Attribute
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/presto-player/tags/4.1.1/dist/components/collection/components/core/features/presto-dynamic-overlays/component/presto-dynamic-overlays.js#L1 https://plugins.trac.wordpress.org/browser/presto-player/tags/4.1.1/inc/Services/Shortcodes.php#L464 https://plugins.trac.wordpress.org/browser/presto-player/tags/4.1.1/inc/Services/Shortcodes.php#L513 https://plugins.trac.wordpress.org/browser/presto-player/tags/4.1.1/templates/video.php#L16 https://plugins.trac.wordpress.org/browser/presto-player/tags/4.1.4/dist/components/collection/components/core/features/presto-dynamic-overlays/component/presto-dynamic-overlays.js#L1 https://plugins.trac.wordpress.org/browser/presto-player/tags/4.1.4/inc/Services/Shortcodes.php#L464 https://plugins.trac.wordpress.org/browser/presto-player/tags/4.1.4/inc/Services/Shortcodes.php#L513 https://plugins.trac.wordpress.org/browser/presto-player/tags/4.1.4/templates/video.php#L16 https://plugins.trac.wordpress.org/changeset/3553268/presto-player/trunk/inc/Services/Shortcodes.php https://www.wordfence.com/threat-intel/vulnerabilities/id/c87e7f50-f14a-4751-abcb-3a5bdd214889?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-06-12T01:28:02.071Z

Updated: 2026-06-12T01:28:02.071Z

Reserved: 2026-05-20T17:39:30.319Z

Link: CVE-2026-9125

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-12T02:16:42.373

Modified: 2026-06-12T02:16:42.373

Link: CVE-2026-9125

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-12T03:30:12Z

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object