CVE-2025-62951
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in icc0rz H5P h5p allows Stored XSS.This issue affects H5P: from n/a through <= 1.16.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in H5P WordPress plugin (<=1.16.0) allows attackers to inject malicious scripts, potentially impacting website visitors.
A stored cross-site scripting (XSS) vulnerability exists in the H5P WordPress plugin (versions up to and including 1.16.0). The issue arises from improper neutralization of user input during web page generation, allowing attackers to inject arbitrary web scripts or HTML.
Exploitation requires user interaction, such as a privileged user clicking a malicious link or submitting crafted content. Once injected, the malicious script is stored and executed when any visitor accesses the affected page, making it a stored XSS vulnerability.
An attacker could use this to redirect visitors, display advertisements, or steal sensitive information. The impact is limited to the scope of the victim's browser session but can affect many users if the plugin is widely deployed.
Mitigation is straightforward: update the H5P plugin to version 1.16.1 or later. Patchstack, which reported this vulnerability, recommends immediate updating and notes that auto-update can be enabled for vulnerable plugins [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.