[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"public-cve-CVE-2026-9125":3,"news-by-cve-CVE-2026-9125-10":59},{"cvss_score":4,"has_ai_summary":5,"date_updated":6,"has_exploit":5,"description":7,"title":8,"assigner_org":9,"nvd_cvss_score":4,"tags":10,"date_published":11,"source_identifier":12,"cvss_source":13,"has_workaround":5,"sectors":14,"id":15,"attack_technique_count":16,"weaknesses":17,"references_preview":20,"cvss_version":28,"cvss_severity":29,"nvd_cvss_severity":29,"in_kev":5,"has_solution":5,"attack_techniques":30,"attack_tactics":45,"has_nuclei_templates":5,"state":46,"exploit_count":47,"reference_count":48,"affected_products_preview":49,"remediation_summary":53,"sources":54,"has_attack_graph":55,"cvss_vector":56,"nvd_cvss_vector":56,"kev_ransomware_use":5,"affected_product_count":57,"nuclei_template_count":47,"vendor_context":58,"assigner_short_name":9},6.4,false,"2026-06-12T02:16:42Z","The Presto Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link_url' parameter of the [presto_player_overlay] shortcode in versions up to, and including, 4.2.0 This is due to insufficient input sanitization and output escaping in the getOverlays() function, which copies the link_url shortcode attribute directly into the overlay configuration without scheme validation, allowing javascript: URIs to survive and be rendered as the href of a clickable anchor element by the presto-dynamic-overlay-ui web component. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","The Ultimate Video Player For WordPress \u003C= 4.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'link_url' Shortcode Attribute","",[],"2026-06-12T01:28:02Z","b15e7b5b-3da4-40ae-a43c-f7aa60e62599","nvd",[],"CVE-2026-9125",2,[18],{"cwe_id":19,"name":9},"CWE-79",[21,24,26],{"url":22,"source":23},"https://www.wordfence.com/threat-intel/vulnerabilities/id/c87e7f50-f14a-4751-abcb-3a5bdd214889?source=cve","cvelist",{"url":25,"source":23},"https://plugins.trac.wordpress.org/browser/presto-player/tags/4.1.4/inc/Services/Shortcodes.php#L464",{"url":27,"source":23},"https://plugins.trac.wordpress.org/browser/presto-player/tags/4.1.4/inc/Services/Shortcodes.php#L513","3.1","MEDIUM",[31,38],{"technique_name":32,"tactic":33,"tactic_name":34,"url":35,"confidence":36,"technique_id":37},"Command and Scripting Interpreter","execution","Execution","https://attack.mitre.org/techniques/T1059/","medium","T1059",{"technique_name":39,"tactic":40,"tactic_name":41,"url":42,"confidence":43,"technique_id":44},"Drive-by Compromise","initial-access","Initial Access","https://attack.mitre.org/techniques/T1189/","high","T1189",[34,41],"PUBLISHED",0,10,[50],{"vendor":51,"product":52},"2winfactor","Presto Player",{"has_patch":5,"has_workaround":5},[23,13],true,"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",1,[],{"cve_id":15,"items":60,"total":47},[]]