CVE-2025-27005
BaseFortify
Publication date: 2026-01-22
Last updated on: 2026-04-27
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lambertgroup | html5_video_player | From 5.3.5|end_including=5.3.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-27005 is a medium severity Cross Site Scripting (XSS) vulnerability in the WordPress HTML5 Video Player Plugin (versions up to 5.3.5). It allows an attacker to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, into a website. These scripts execute when visitors access the compromised site. The vulnerability is a reflected XSS, meaning the malicious input is reflected off the web server and executed in the user's browser. Exploitation requires user interaction, like clicking a malicious link or visiting a crafted page. No authentication is required to initiate the attack. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts on your website visitors' browsers. This can lead to unauthorized redirects, display of unwanted advertisements, theft of user data such as cookies or session tokens, and potentially further compromise of user accounts or systems. It can damage your website's reputation and trustworthiness, and may result in loss of users or customers. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for attempts to inject malicious scripts via the HTML5 Video Player plugin, such as suspicious URL parameters or form submissions containing script tags. Since this is a reflected XSS vulnerability, you can use web application security scanners or proxy tools like OWASP ZAP or Burp Suite to test for script injection in the plugin's input fields or URL parameters. Additionally, inspecting web server logs for unusual requests containing script payloads may help. Specific commands are not provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the Patchstack mitigation rule designed to block attacks targeting this vulnerability until an official patch is released. Users should implement this mitigation immediately to protect their websites. Since no official patch or fixed version is available as of the publication date, applying these protective rules is critical. [1]