CVE-2023-6485: 
WordPress vulnerability analysis and mitigation

The Html5 Video Player WordPress plugin versions before 2.5.19 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and publicly disclosed on December 8, 2023, and was assigned CVE-2023-6485. The issue affects the plugin's player settings functionality, where insufficient sanitization and capability checks could expose the system to potential attacks (WPScan).

The vulnerability stems from the plugin's failure to properly sanitize and escape player settings, combined with missing capability checks. This security flaw has been assigned a CVSS score of 8.0 (high severity). The vulnerability is classified as a CWE-79 type issue and falls under the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan).

When exploited, this vulnerability allows any authenticated users, including those with subscriber-level access, to perform Stored Cross-Site Scripting attacks targeting high-privilege users such as administrators. The attack can be triggered when an administrator views the player lists in the WordPress admin panel (WPScan).

The vulnerability has been patched in version 2.5.19 of the Html5 Video Player plugin. Users are strongly advised to update to this version or later to mitigate the security risk (WPScan).