cleantalk
Vulnerabilities and Security Researches

The Ultimate Video Player For WordPress – by Presto Player, CVE-2026-9125

CVE, Research URL

CVE-2026-9125

Home page URL

Security reports for The Ultimate Video Player For WordPress – by Presto Player

Application

The Ultimate Video Player For WordPress – by Presto Player

Published on
Jun 12, 2026
Research Description
The Presto Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link_url' parameter of the [presto_player_overlay] shortcode in versions up to, and including, 4.2.0 This is due to insufficient input sanitization and output escaping in the getOverlays() function, which copies the link_url shortcode attribute directly into the overlay configuration without scheme validation, allowing javascript: URIs to survive and be rendered as the href of a clickable anchor element by the presto-dynamic-overlay-ui web component. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 4.2.1.
Status
vulnerable
Previous vulnerability researches
Place Order Without Payment for WooCommerce (CVE-2023-33999) , Jun 12, 2026
Place Order Without Payment for WooCommerce (CVE-2024-13362) , May 02, 2026
Place Order Without Payment for WooCommerce (CVE-2025-26933) , Feb 27, 2025
Place Order Without Payment for WooCommerce (47f59ee33113bd4bcc6d8e18f80584a2c1a439d9) , Jun 07, 2024
Place Order Without Payment for WooCommerce (CVE-2022-4974) , Nov 14, 2024
New vulnerability
The Ultimate Video Player For WordPress – by Presto Player (CVE-2026-9125) , Jun 12, 2026
Extra Fees Plugin for WooCommerce (CVE-2023-33999) , Jun 12, 2026
Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery (CVE-2023-33999) , Jun 12, 2026
Form Vibes – Database Manager for Forms (CVE-2023-33999) , Jun 12, 2026
FormsCRM (CVE-2023-33999) , Jun 12, 2026