Vulnerabilities and security researches forvideo-playlist-and-gallery-plugin video-playlist-and-gallery-plugin

Jun 07, 2024

CVE, Research URL: 8a9cb7c8b9bae1d383bc2ee1daa00183e22413ab
Home page URL: Security reports for Cincopa video and media plug-in
Application: Cincopa video and media plug-in
Date: Aug 25, 2015
Research Description: Cincopa video and media plug-in [video-playlist-and-gallery-plugin] < 1.137 WordPress Post Video Players Plugin <= 1.136 - XSS Because of this vulnerability, authenticated users (like editors) can store HTML or JS code. Update the plugin.
Affected versions: max 1.137.
Status: vulnerable

CVE, Research URL: CVE-2024-23515
Home page URL: Security reports for Cincopa video and media plug-in
Application: Cincopa video and media plug-in
Date: Mar 27, 2024
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Cincopa Post Video Players.This issue affects Post Video Players: from n/a through 1.159.
Affected versions: max 1.160.
Status: vulnerable

CVE, Research URL: CVE-2015-10109
Home page URL: Security reports for Cincopa video and media plug-in
Application: Cincopa video and media plug-in
Date: Jun 01, 2023
Research Description: A vulnerability was found in Video Playlist and Gallery Plugin up to 1.136 on WordPress. It has been rated as problematic. Affected by this issue is some unknown functionality of the file wp-media-cincopa.php. The manipulation leads to cross-site request forgery. The attack may be launched remotely. Upgrading to version 1.137 is able to address this issue. The name of the patch is ee28e91f4d5404905204c43b7b84a8ffecad932e. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-230264.
Affected versions: max 1.137.
Status: vulnerable

Jan 11, 2026

CVE, Research URL: CVE-2025-62142
Home page URL: Security reports for Cincopa video and media plug-in
Application: Cincopa video and media plug-in
Date: Dec 31, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nicashmu Post Video Players video-playlist-and-gallery-plugin allows Stored XSS.This issue affects Post Video Players: from n/a through <= 1.163.
Affected versions: max 1.163.
Status: vulnerable

CVE, Research URL: CVE-2025-62143
Home page URL: Security reports for Cincopa video and media plug-in
Application: Cincopa video and media plug-in
Date: Dec 31, 2025
Research Description: Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in nicashmu Post Video Players video-playlist-and-gallery-plugin allows Retrieve Embedded Sensitive Data.This issue affects Post Video Players: from n/a through <= 1.163.
Affected versions: max 1.163.
Status: vulnerable

Jun 16, 2026

CVE, Research URL: ee7ba21e902a001f6add53b20020ff6f4ee03467
Home page URL: Security reports for Cincopa video and media plug-in
Application: Cincopa video and media plug-in
Date: Aug 25, 2015
Research Description: Cincopa video and media plug-in [video-playlist-and-gallery-plugin] < 1.137 Cincopa video and media plug-in < 1.137 - Cross-Site Request Forgery to Stored Cross-Site Scripting The Cincopa video and media plug-in plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Cross-Site Request Forgery via the ‘cincopaafc’ parameter in versions before 1.137 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 1.137.
Status: vulnerable

CVE, Research URL: 7505d6b8-e9ef-4db2-9841-d28d5d0fdbb1
Home page URL: Security reports for Cincopa video and media plug-in
Application: Cincopa video and media plug-in
Date: -
Research Description: Cincopa video and media plug-in [video-playlist-and-gallery-plugin] < 1.137 Post video players <= 1.136 - Authenticated Stored Cross-Site Scripting (XSS) The Post video players, slideshow albums, photo galleries and music / podcast playlist WordPress plugin was affected by an Authenticated Stored Cross-Site Scripting (XSS) security vulnerability.
Affected versions: max 1.137.
Status: vulnerable

Jun 25, 2026

CVE, Research URL: CVE-2026-10092
Home page URL: Security reports for Cincopa video and media plug-in
Application: Cincopa video and media plug-in
Date: Jun 24, 2026
Research Description: The Cincopa video and media plug-in plugin for WordPress is vulnerable to Stored Cross-Site Scripting via cincopa Shortcode in Post Comments in all versions up to, and including, 1.163 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation is possible because the plugin processes the [cincopa] shortcode via a comment_text filter hook, allowing unauthenticated visitors who can post comments to supply a malicious shortcode argument that persists in the database.
Affected versions: max 1.163.
Status: vulnerable