CVE-2026-9125

Vulnerability

The Presto Player plugin for WordPress versions up to and including 4.2.0 is vulnerable to Stored Cross-Site Scripting (XSS) in the [presto_player_overlay] shortcode. The getOverlays() function copies the link_url shortcode attribute directly into the overlay configuration without proper input sanitization or output escaping, allowing javascript: URIs to survive and be rendered as the href of a clickable anchor element by the presto-dynamic-overlay-ui web component [1][2][3].

Exploitation

An authenticated attacker with contributor-level access or above can inject a malicious link_url value (e.g., javascript:alert(document.cookie)) into the [presto_player_overlay] shortcode. When a user visits a page containing the injected shortcode, the overlay renders a clickable link that executes the attacker's script in the context of the victim's browser session.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browsers of users who view the affected page. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attack is stored, meaning the malicious payload persists until the content is removed or patched.

Mitigation

The vulnerability is fixed in Presto Player version 4.2.3, released on 2026-06-04 [4]. Users should update to version 4.2.3 or later. No workaround is available for earlier versions. The plugin is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of publication.