CVE-2025-53563

Improper neutralization of user-supplied input in the LambertGroup Youtube Vimeo Video Player and Slider plugin for WordPress leads to a reflected cross-site scripting (XSS) vulnerability. The issue affects versions from n/a through 3.8 of the video_player_youtube_vimeo plugin. The root cause is a failure to sanitize or escape input before including it in web page output, enabling an attacker to inject arbitrary JavaScript or HTML into the response [1].

Exploitation

Exploitation requires user interaction: a victim with sufficient privileges (e.g., an administrator) must click a crafted link, visit a malicious page, or submit a specially prepared form. No authentication is needed to initiate the attack vector, but the target user must perform the action. The reflected XSS can be delivered via a URL that includes the malicious payload, which is then executed in the context of the victim's session [1].

Impact

Successful exploitation allows the attacker to inject scripts that can perform actions such as redirecting visitors to malicious sites, displaying unwanted advertisements, or exfiltrating sensitive data. The CVSS v3.1 score of 7.1 (High) underscores the risk, and the vulnerability is considered moderately dangerous, with expected mass-exploit campaigns targeting numerous WordPress sites regardless of size [1].