CVE-2026-9125— Andre Gagnon Presto Player 跨站脚本漏洞

The Ultimate Video Player For WordPress <= 4.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'link_url' Shortcode Attribute

The Presto Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link_url' parameter of the [presto_player_overlay] shortcode in versions up to, and including, 4.2.0 This is due to insufficient input sanitization and output escaping in the getOverlays() function, which copies the link_url shortcode attribute directly into the overlay configuration without scheme validation, allowing javascript: URIs to survive and be rendered as the href of a clickable anchor element by the presto-dynamic-overlay-ui web component. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Andre Gagnon Presto Player 跨站脚本漏洞

Presto Player是Andre Gagnon个人开发者的一个视频渲染插件。 Andre Gagnon Presto Player 4.2.0及之前版本存在跨站脚本漏洞，该漏洞源于getOverlays()函数输入清理和输出转义不足，导致link_url参数存在存储型跨站脚本漏洞，允许经过身份验证的攻击者注入任意Web脚本。

N/A

N/A