CVE-2026-0724
Stored XSS in WPlyr Media Block Plugin Allows Admin Script Injection
Publication date: 2026-02-11
Last updated on: 2026-02-11
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | wplyr_media_block | to 1.3.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WPlyr Media Block plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 1.3.0. This vulnerability arises because the plugin does not properly sanitize or escape user-supplied input in the '_wplyr_accent_color' parameter. As a result, an authenticated attacker with Administrator-level access or higher can inject arbitrary malicious scripts into pages. These scripts will execute whenever any user accesses the infected page.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with administrator privileges to inject malicious scripts into the website's pages. These scripts can execute in the browsers of users who visit the affected pages, potentially leading to theft of sensitive information, session hijacking, defacement, or other malicious actions. Since the attacker needs high-level access, the risk is primarily from insiders or compromised administrator accounts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability in the WPlyr Media Block plugin is a Stored Cross-Site Scripting (XSS) issue via the '_wplyr_accent_color' parameter, exploitable by authenticated users with Administrator-level access or higher.
Detection would involve checking if the vulnerable plugin version (up to and including 1.3.0) is installed and if the '_wplyr_accent_color' parameter is being used or manipulated in the WordPress environment.
Since the vulnerability requires authenticated administrator access to inject scripts, network detection might be limited. However, you can check for suspicious script injections in pages rendered by the plugin.
Suggested commands or steps to detect the vulnerability include:
- Check the installed version of the WPlyr Media Block plugin via WP-CLI: `wp plugin list | grep wplyr-media-block`
- Search the WordPress database for suspicious or unexpected script tags or payloads in post content or plugin options related to '_wplyr_accent_color': `wp db query "SELECT * FROM wp_options WHERE option_name LIKE '%wplyr%' AND option_value LIKE '%<script>%'"`
- Review HTTP requests or logs for unusual POST requests to admin pages that include the '_wplyr_accent_color' parameter.
- Use a web vulnerability scanner or XSS detection tool targeting authenticated admin sessions to test if script injection is possible via the '_wplyr_accent_color' parameter.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the Stored Cross-Site Scripting vulnerability in the WPlyr Media Block plugin, immediate steps include:
- Update the WPlyr Media Block plugin to a version later than 1.3.0 where the vulnerability is fixed.
- If an update is not immediately available, restrict administrator access to trusted users only to prevent exploitation.
- Temporarily disable or deactivate the WPlyr Media Block plugin until a patched version is installed.
- Review and sanitize any user-supplied input or settings related to the '_wplyr_accent_color' parameter manually in the database or plugin settings.
- Implement Web Application Firewall (WAF) rules to block or monitor suspicious payloads targeting the '_wplyr_accent_color' parameter.