CVE-2025-53559

Vulnerability

Overview

CVE-2025-53559 is a reflected cross-site scripting (XSS) vulnerability found in the LambertGroup Universal Video Player - Addon for WPBakery Page Builder (plugin slug: lbg-universal-video-player-addon-visual-composer). The issue stems from improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript into the response. This affects all versions from n/a through 3.2.1 [1].

Exploitation

Prerequisites

Exploitation requires user interaction: a privileged user (such as an administrator) must click a crafted link, visit a maliciously prepared page, or submit a specially formed form. The attacker does not need prior authentication to the WordPress site but must trick a logged-in user into performing the action. The reflected nature means the injected payload is immediately executed in the victimized in the response, making it suitable for targeted attacks like phishing or session hijacking [1].

Impact

Successful exploitation allows the attacker to execute arbitrary scripts in the context of the victim's browser session. This can lead to redirecting visitors to malicious sites, displaying unauthorized advertisements, stealing cookies or session tokens, or performing actions on behalf of the victim. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of WordPress sites regardless of size [1].

Mitigation

The vendor has released version 3.2.2.0 which resolves the vulnerability. Users are strongly advised to update immediately. If updating is not possible, a mitigation rule is available from Patchstack to block attacks until the patch is applied. No workarounds other than updating or applying the virtual patch are mentioned [1].