cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forpresto-player presto-player

Direction: ascending
Jun 07, 2024

The Ultimate Video Player For WordPress – by Presto Player # CVE-2024-2428

CVE, Research URL

CVE-2024-2428

Home page URL

Security reports for The Ultimate Video Player For WordPress – by Presto Player

Application

The Ultimate Video Player For WordPress – by Presto Player

Date
Apr 10, 2024
Research Description
The Ultimate Video Player For WordPress WordPress plugin before 2.2.3 does not have proper capability check when updating its settings via a REST route, allowing Contributor and above users to update them. Furthermore, due to the lack of escaping in one of the settings, this also allows them to perform Stored XSS attacks
Affected versions
max 2.2.3.
Status
vulnerable
Aug 20, 2024

The Ultimate Video Player For WordPress – by Presto Player # CVE-2024-43285

CVE, Research URL

CVE-2024-43285

Home page URL

Security reports for The Ultimate Video Player For WordPress – by Presto Player

Application

The Ultimate Video Player For WordPress – by Presto Player

Date
Nov 01, 2024
Research Description
Missing Authorization vulnerability in Presto Made, Inc Presto Player allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Presto Player: from n/a through 3.0.2.
Affected versions
max 3.0.3.
Status
vulnerable
May 19, 2026

The Ultimate Video Player For WordPress – by Presto Player # CVE-2026-45442

CVE, Research URL

CVE-2026-45442

Home page URL

Security reports for The Ultimate Video Player For WordPress – by Presto Player

Application

The Ultimate Video Player For WordPress – by Presto Player

Date
May 19, 2026
Research Description
Missing Authorization vulnerability in Brainstorm Force Presto Player allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Presto Player: from n/a through 4.1.3.
Affected versions
max 4.1.4.
Status
vulnerable
Jun 12, 2026

The Ultimate Video Player For WordPress – by Presto Player # CVE-2026-9125

CVE, Research URL

CVE-2026-9125

Home page URL

Security reports for The Ultimate Video Player For WordPress – by Presto Player

Application

The Ultimate Video Player For WordPress – by Presto Player

Date
Jun 12, 2026
Research Description
The Presto Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link_url' parameter of the [presto_player_overlay] shortcode in versions up to, and including, 4.2.0 This is due to insufficient input sanitization and output escaping in the getOverlays() function, which copies the link_url shortcode attribute directly into the overlay configuration without scheme validation, allowing javascript: URIs to survive and be rendered as the href of a clickable anchor element by the presto-dynamic-overlay-ui web component. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 4.2.1.
Status
vulnerable