What the vulnerability does
01Description
The VideoZen plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.0.1. This is due to insufficient input sanitization and output escaping in the videozen_conf() function. The 'lang' POST parameter is stored directly via update_option() without any sanitization, and later echoed inside a <textarea> element without applying esc_textarea() or any equivalent escaping function. This makes it possible for authenticated attackers with Administrator-level access and above to inject arbitrary web scripts into the plugin settings page that will execute whenever any user accesses that page.
Explanation of Vulnerability in Simple Terms
02Summary
VideoZen versions 1.0.1 and earlier contain a cross-site scripting (XSS) vulnerability that allows an authenticated administrator to inject malicious scripts. The vulnerability has limited scope and requires high privileges and complex attack conditions. The impact is restricted to low-level confidentiality and integrity compromise.
What an attacker can do
03Attacker Capabilities
Inject malicious scripts that affect other users or site functionality.
Potential impact on your site
04Site Impact
An admin account could be used to inject scripts affecting site integrity or user data exposure.
Conditions required to exploit
05Prerequisites
Attacker must be an authenticated administrator with high privileges; complex attack conditions required.
Key dates
06Disclosure timeline
April 17, 2026
CVE published
April 20, 2026
Record updated
