CVE-2025-53562
📋 TL;DR
This vulnerability allows attackers to inject malicious scripts into web pages generated by the Universal Video Player - Addon for WPBakery Page Builder WordPress plugin. When users visit pages containing the malicious scripts, attackers can steal session cookies, redirect users, or perform actions on their behalf. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Universal Video Player - Addon for WPBakery Page Builder WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain administrative access to WordPress sites, install backdoors, deface websites, or steal sensitive user data.
Likely Case
Attackers will typically use this to steal user session cookies, redirect users to malicious sites, or perform limited actions within the user's current session context.
If Mitigated
With proper input validation and output encoding, the malicious scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Reflected XSS vulnerabilities typically require user interaction (clicking a malicious link) but are relatively easy to exploit once discovered.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 3.2.1
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Universal Video Player - Addon for WPBakery Page Builder'. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete the plugin, then find a secure alternative.
🔧 Temporary Workarounds
Disable vulnerable plugin
allDeactivate and remove the vulnerable plugin until a patch is available
wp plugin deactivate lbg_universal_video_player_addon_visual_composer
wp plugin delete lbg_universal_video_player_addon_visual_composer
Implement Content Security Policy
allAdd CSP headers to prevent execution of inline scripts
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or add to WordPress functions.php: header("Content-Security-Policy: default-src 'self'; script-src 'self'");
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with XSS protection rules
- Disable the Universal Video Player addon functionality entirely
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Universal Video Player - Addon for WPBakery Page Builder' version 3.2.1 or earlierCheck Version:
wp plugin get lbg_universal_video_player_addon_visual_composer --field=versionVerify Fix Applied:
Verify plugin version is higher than 3.2.1 or plugin is completely removed📡 Detection & Monitoring
Log Indicators:
- Unusual GET/POST requests with script tags or JavaScript in parameters
- Multiple failed XSS attempts in web server logs
Network Indicators:
- HTTP requests containing <script> tags or JavaScript code in URL parameters
- Unusual redirects to external domains
SIEM Query:
source="web_server_logs" AND ("<script>" OR "javascript:" OR "onload=" OR "onerror=") AND uri="*universal-video-player*"