CVE-2025-53562

The lbg_universal_video_player_addon_visual_composer WordPress plugin for WPBakery Page Builder contains a reflected cross-site scripting (XSS) flaw due to improper neutralization of user-supplied input during web page generation [1]. This vulnerability affects plugin versions from n/a through 3.2.1, and is classified with a CVSS score of 7.1 (High) [1].

Exploitation requires an authenticated user with sufficient privileges to perform an action, such as clicking a crafted link, visiting a malicious page, or submitting a specially designed form [1]. An attacker who successfully tricks a privileged user into interacting with a crafted URL can inject arbitrary HTML or JavaScript into the generated page [1].

The injected script executes in the context of the victim's browser session, enabling actions such as redirecting visitors to malicious sites, displaying unauthorized advertisements, or exfiltrating sensitive data [1]. This vulnerability is considered moderately dangerous and is expected to be targeted in mass-exploit campaigns against WordPress sites [1].

The vendor has released version 3.2.2.0 which resolves the issue; users are strongly advised to update immediately [1]. For those unable to update, applying a virtual patch or mitigation rule (such as those provided by Patchstack) can block exploitation attempts until the plugin is updated [1].