{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6439", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-16T18:09:59.771Z", "datePublished": "2026-04-17T08:28:26.200Z", "dateUpdated": "2026-04-17T08:28:26.200Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-17T08:28:26.200Z"}, "affected": [{"vendor": "jconti", "product": "VideoZen", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The VideoZen plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.0.1. This is due to insufficient input sanitization and output escaping in the videozen_conf() function. The 'lang' POST parameter is stored directly via update_option() without any sanitization, and later echoed inside a <textarea> element without applying esc_textarea() or any equivalent escaping function. This makes it possible for authenticated attackers with Administrator-level access and above to inject arbitrary web scripts into the plugin settings page that will execute whenever any user accesses that page."}], "title": "VideoZen <= 1.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'VideoZen available subtitles languages' Field", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/47bcd04b-a479-49f2-94d0-df2a7684210c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/videozen/trunk/videozen-conf.php#L69"}, {"url": "https://plugins.trac.wordpress.org/browser/videozen/tags/1.0.1/videozen-conf.php#L69"}, {"url": "https://plugins.trac.wordpress.org/browser/videozen/trunk/videozen-conf.php#L24"}, {"url": "https://plugins.trac.wordpress.org/browser/videozen/tags/1.0.1/videozen-conf.php#L24"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "timeline": [{"time": "2026-04-16T20:19:00.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The VideoZen plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.0.1. This is due to insufficient input sanitization and output escaping in the videozen_conf() function. The 'lang' POST parameter is stored directly via update_option() without any sanitization, and later echoed inside a <textarea> element without applying esc_textarea() or any equivalent escaping function. This makes it possible for authenticated attackers with Administrator-level access and above to inject arbitrary web scripts into the plugin settings page that will execute whenever any user accesses that page."}], "id": "CVE-2026-6439", "lastModified": "2026-04-17T09:16:05.447", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-17T09:16:05.447", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/videozen/tags/1.0.1/videozen-conf.php#L24"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/videozen/tags/1.0.1/videozen-conf.php#L69"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/videozen/trunk/videozen-conf.php#L24"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/videozen/trunk/videozen-conf.php#L69"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/47bcd04b-a479-49f2-94d0-df2a7684210c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T10:22:16.318426+00:00", "value": {"mitigation_remediation": ["Update VideoZen to a version newer than 1.0.1 in which the 'lang' option is properly sanitized and output escaped.", "If an update is not feasible immediately, disable or remove the \"VideoZen available subtitles languages\" configuration from the plugin settings to prevent the vulnerable POST parameter from being stored.", "Configure a web application firewall to block or log attempts to submit script\u2011laden content to the \"lang\" field, and monitor server logs for suspicious activity."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Theffected system is the WordPress plugin VideoZen from vendor jconti. The flaw exists in all versions up to and including 1.0.1. Any WordPress site that has installed this plugin and permits admin\u2011level users to modify the \"VideoZen available subtitles languages\" field is impacted.", "description_and_impact": "The vulnerability is a stored cross\u2011site scripting flaw caused by the videozen_conf() function that accepts a POST parameter named \"lang\" and saves it directly to a WordPress option without any sanitization. When the value is later output inside a textarea element on the plugin settings page, the content is rendered as raw HTML, allowing an attacker to inject custom JavaScript. Users who view the settings page will then execute the embedded script, potentially enabling session hijacking, defacement, or malicious redirects. This flaw is classified as CWE\u201179 and requires the attacker to have Administrator or higher privileges to use the vulnerable form.", "risk_and_exploitability": "The CVSS base score is 4.4, indicating medium\u2011low severity. No EPSS score is published, and the vulnerability is not currently listed in the CISA KEV catalog. Because the attack requires authentication and administrative access to the plugin\u2019s settings page, it is not exploitable by unauthenticated actors. Nevertheless, within an environment where an attacker gains administrator rights\u2014such as through credential compromise or social engineering\u2014the vulnerability can be leveraged to execute arbitrary scripts with the privileges of any visitor to the settings page. The risk is considered significant for compromised sites, while the likelihood of exploitation outside such conditions is low."}}}}, "created": "2026-04-17T10:30:12.993067+00:00", "updated": "2026-04-17T10:30:12.993076+00:00", "vendors": []}