CVE-2023-6485

Name of the Vulnerable Software and Affected Versions Html5 Video Player WordPress plugin versions prior to 2.5.19

Description The issue arises from the Html5 Video Player WordPress plugin not sanitizing and escaping some of its player settings, combined with missing capability checks around the plugin. This could allow any authenticated users, such as subscribers, to perform Stored Cross-Site Scripting attacks against high-privilege users like admins.

Recommendations For versions prior to 2.5.19, update to version 2.5.19 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings to minimize the risk of exploitation. Additionally, ensure that capability checks are properly implemented around the plugin to prevent low-privilege users from performing sensitive actions.