5.4
CVE-2023-6485
- EPSS 1.89%
- Veröffentlicht 01.01.2024 15:15:43
- Zuletzt bearbeitet 18.06.2025 15:15:25
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginHtml5 Video Player <= 2.5.18 - Authenticated (Subscriber+) Stored Cross-Site Scripting
The Html5 Video Player WordPress plugin before 2.5.19 does not sanitise and escape some of its player settings, which combined with missing capability checks around the plugin could allow any authenticated users, such as low as subscribers to perform Stored Cross-Site Scripting attacks against high privilege users like admins
Mögliche Gegenmaßnahme
HTML5 Video Player – Embed and Play Videos in Custom Player: Update to version 2.5.19, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
HTML5 Video Player – Embed and Play Videos in Custom Player
Version
*-2.5.18
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Bplugins ≫ Html5 Video Player SwPlatformwordpress Version < 2.5.19
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.89% | 0.828 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.4 | 2.3 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 5.4 | 2.3 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.