CVE-2025-30626 HIGH

CVE-2025-30626: WordPress Multimedia Playlist Slider Addon for WPBakery Page Builder <= 2.1 - Cross Site Scripting (XSS) Vulnerability

Vendor Lambertgroup
Product Multimedia Playlist Slider Addon for WPBakery Page Builder
Weakness CWE-79 · XSS
Published August 14, 2025
Last update April 28, 2026
View on NVD All CVEs

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Multimedia Playlist Slider Addon for WPBakery Page Builder lbg_vp_youtube_vimeo_addon_visual_composer allows Reflected XSS.This issue affects Multimedia Playlist Slider Addon for WPBakery Page Builder: from n/a through <= 2.1.

Explanation of Vulnerability in Simple Terms

02Summary

The Multimedia Playlist Slider Addon for WPBakery Page Builder versions 2.1 and earlier contain a cross-site scripting (XSS) vulnerability. An attacker can inject malicious scripts that execute in the browsers of site visitors. The vulnerability requires user interaction—typically clicking a malicious link—and can affect other users and site functionality. Update the plugin to a version newer than 2.1.

What an attacker can do

03Attacker Capabilities

Inject malicious scripts that run in visitors' browsers, stealing session cookies or redirecting users.

Potential impact on your site

04Site Impact

Site visitors may be redirected, have sessions hijacked, or see defaced content without your knowledge.

Conditions required to exploit

05Prerequisites

Visitor must click a malicious link or visit a compromised page containing the payload.

Key dates

06Disclosure timeline

August 14, 2025 CVE published
April 28, 2026 Record updated

Related vulnerabilities

08Related CVE

CVE-2026-32774 Vulnogram - Stored Cross-Site Scripting via Comment Hypertext CVE-2025-50037 WordPress Buying Buddy IDX CRM plugin <= 2.3.0 - Cross Site Scripting (XSS) Vulnerability CVE-2025-68992 WordPress BWL Knowledge Base Manager plugin <= 1.6.3 - Cross Site Scripting (XSS) vulnerability CVE-2026-25417 WordPress ProfileGrid plugin <= 5.9.8.1 - Cross Site Scripting (XSS) vulnerability CVE-2024-5413 Cross-Site Scripting (XSS) vulnerability on PhpMyBackupPro