{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9203", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-19T17:43:22.904Z", "datePublished": "2025-09-17T06:17:48.156Z", "dateUpdated": "2026-04-08T16:35:57.655Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:35:57.655Z"}, "affected": [{"vendor": "bplugins", "product": "Media Player Addons for Elementor \u2013 Audio and Video Widgets for Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Media Player Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subtitle_ssize', 'track_title', and 'track_artist_name' parameters in version 1.0.5. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Media Player Addons for Elementor <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widget Fields", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1067cc82-3595-4228-a7a2-5b3be7677b1f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/media-player-addons-for-elementor/tags/1.0.5/widgets/bplayer-widget-video.php#L207"}, {"url": "https://plugins.trac.wordpress.org/browser/media-player-addons-for-elementor/tags/1.0.5/widgets/b_html5_addon.php#L432"}, {"url": "https://plugins.trac.wordpress.org/log/media-player-addons-for-elementor/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "timeline": [{"time": "2025-08-19T17:58:36.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-16T17:45:37.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-17T12:52:25.837049Z", "id": "CVE-2025-9203", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-17T12:52:40.527Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9203", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-17T12:52:25.837049Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-17T12:52:29.513Z"}}], "cna": {"title": "Media Player Addons for Elementor <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widget Fields", "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "bplugins", "product": "Media Player Addons for Elementor \u2013 Audio and Video Widgets for Elementor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-19T17:58:36.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-16T17:45:37.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1067cc82-3595-4228-a7a2-5b3be7677b1f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/media-player-addons-for-elementor/tags/1.0.5/widgets/bplayer-widget-video.php#L207"}, {"url": "https://plugins.trac.wordpress.org/browser/media-player-addons-for-elementor/tags/1.0.5/widgets/b_html5_addon.php#L432"}, {"url": "https://plugins.trac.wordpress.org/log/media-player-addons-for-elementor/"}], "descriptions": [{"lang": "en", "value": "The Media Player Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subtitle_ssize', 'track_title', and 'track_artist_name' parameters in version 1.0.5. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:35:57.655Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9203", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:35:57.655Z", "dateReserved": "2025-08-19T17:43:22.904Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-17T06:17:48.156Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Media Player Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subtitle_ssize', 'track_title', and 'track_artist_name' parameters in version 1.0.5. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-9203", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-17T07:15:42.083", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/media-player-addons-for-elementor/tags/1.0.5/widgets/b_html5_addon.php#L432"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/media-player-addons-for-elementor/tags/1.0.5/widgets/bplayer-widget-video.php#L207"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/log/media-player-addons-for-elementor/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1067cc82-3595-4228-a7a2-5b3be7677b1f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T14:18:09.986468+00:00", "value": {"mitigation_remediation": ["Update the Media Player Addons for Elementor plugin to a version newer than 1.0.5, if one is available.", "If an update cannot be applied immediately, remove or disable the widget fields that accept subtitle_ssize, track_title, and track_artist_name, or ensure they are properly sanitized and escaped using WordPress escape routines.", "Limit contributor\u2011level access to trusted users only and consider using a stricter role hierarchy or additional access control checks to reduce the risk of abuse."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerable software is the Media Player Addons for Elementor \u2013 Audio and Video Widgets for Elementor plugin for WordPress. All releases up to and including version one point zero point five contain the flaw; users of earlier versions are also affected.", "description_and_impact": "The Media Player Addons for Elementor plugin for WordPress is vulnerable to stored cross\u2011site scripting because certain widget attributes\u2014subtitle_ssize, track_title, and track_artist_name\u2014are neither sanitized nor properly escaped. This weakness allows authenticated contributors or higher to inject arbitrary HTML or JavaScript into pages that display the affected widget. An attacker could then execute malicious scripts in the context of any visitor to the site, potentially defacing content, stealing session cookies, or executing other client\u2011side attacks. The flaw is a classic input validation and output encoding problem identified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 6.4 classifies the issue as medium severity. The EPSS score of less than 1% indicates a low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. However, the required attacker privilege is only contributor\u2011level or higher, which is difficult to obtain for an external attacker but realistic for a disgruntled or compromised internal user. If exploited, the impact could enable persistent client\u2011side attacks, defacement, or credential theft on the site."}}}}, "created": "2026-04-22T14:30:18.953816+00:00", "updated": "2026-04-22T14:30:18.953828+00:00", "vendors": []}