Does Video List Manager have any unpatched vulnerabilities?

Yes — Video List Manager currently has 5 unpatched vulnerabilities. We recommend switching to an alternative or applying any available workarounds.

Is Video List Manager compatible with WordPress 5.4.19?

According to WordPress.org data, Video List Manager 1.7 has been tested up to WordPress 5.4.19. Check the plugin's changelog for the latest compatibility information.

How often is Video List Manager updated?

Video List Manager was last updated on May 23, 2020. Frequent updates are generally a positive security signal.

What is Video List Manager's security score?

Video List Manager has a WP-Safety security score of 22/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Video List Manager Security & Risk Analysis

wordpress.org/plugins/video-list-manager

Display videos easily (from YOUTUBE, VIMEO, DAILYMOTION) with lightbox effect. Especially, all your videos will be fitted on all layouts.

100 active installs v1.7 PHP + WP 3.0.1+ Updated May 23, 2020

dailymotionvideovideo-listvimeoyoutube

F · Critical Risk

CVEs total5

Unpatched5

Last CVEJul 1, 2025

Plugin page Download

Safety Verdict

Is Video List Manager Safe to Use in 2026?

Critical Risk — Avoid

Score 22/100

Video List Manager is critically unsafe with 5 known CVEs, 5 still unpatched. Avoid in production.

5 known CVEs 5 unpatched Last CVE: Jul 1, 2025Updated 5yr ago

Risk Assessment

The "video-list-manager" v1.7 plugin presents a significant security risk due to a history of multiple unpatched vulnerabilities and concerning patterns in its static analysis. While the plugin has no documented AJAX handlers or REST API routes that are unprotected, and its direct entry points are limited, the presence of 5 unpatched CVEs, including 2 high severity ones, overshadows these positive aspects. These historical vulnerabilities point to recurring issues with Cross-site Scripting, SQL Injection, and Missing Authorization, indicating a consistent struggle with secure coding practices. The static analysis further reveals a concerning 95% of output is not properly escaped, creating a high probability of Cross-site Scripting vulnerabilities being present and exploitable, even if not explicitly detected in the limited taint analysis performed. The fact that 36% of SQL queries are not prepared also raises immediate concerns about SQL Injection risks. Despite the absence of critical taint flows and dangerous functions in the current analysis, the plugin's past and the identified code quality issues make it a high-risk component.

Key Concerns

5 Unpatched CVEs (2 High, 3 Medium)
95% of outputs not properly escaped
36% of SQL queries not prepared
0 Nonce checks detected
0 Capability checks detected

Vulnerabilities

Video List Manager Security Vulnerabilities

CVEs by Year

1 CVE in 2023 · unpatched

2023

4 CVEs in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

High

Medium

5 total CVEs

CVE-2025-52831high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Video List Manager <= 1.7 - Unauthenticated SQL Injection

Jul 1, 2025Unpatched

CVE-2025-52776medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Video List Manager <= 1.7 - Reflected Cross-Site Scripting

Jun 26, 2025Unpatched

CVE-2025-52821medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Video List Manager <= 1.7 - Authenticated (Contributor+) SQL Injection

Jun 19, 2025Unpatched

CVE-2025-49986medium · 5.3Missing Authorization

Video List Manager <= 1.7 - Missing Authorization

Jun 19, 2025Unpatched

CVE-2023-1408high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Video List Manager <= 1.7 - Authenticated (Admin+) SQL Injection

Apr 17, 2023Unpatched

Code Analysis

Analyzed Mar 16, 2026

Video List Manager Code Analysis

Dangerous Functions

Raw SQL Queries

9 prepared

Unescaped Output

4 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

64% prepared14 total queries

Output Escaping

5% escaped75 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

tnt_video_manage (includes\menus-view.php:11)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Video List Manager Attack Surface

Entry Points2

Unprotected0

Shortcodes 2

[tnt_video_list] includes\shortcode.php:5

[tnt_video] includes\shortcode.php:6

WordPress Hooks 6

actionadmin_menuincludes\menus.php:9

actionshowMessageincludes\message.php:26

actionwp_enqueue_scriptsincludes\template.php:9

actioninitincludes\template.php:44

actionadmin_print_stylesincludes\template.php:68

actioninitincludes\template.php:79

Maintenance & Trust

Video List Manager Maintenance & Trust

Maintenance Signals

WordPress version tested5.4.19

Last updatedMay 23, 2020

PHP min version

Downloads21K

Community Trust

Rating94/100

Number of ratings12

Active installs100

Alternatives

Video List Manager Alternatives

MKS Video Embed With Shortcode

mks-video-embed-with-shortcode

100

Add video in wordpress page, post or cpt automatically from shortcode. Just click on the insert video button in Editor and select video type (YouTube, …

10 No CVEs

The Ultimate Video Player For WordPress – by Presto Player

presto-player

The Ultimate WordPress Video Player.

100K 2 CVEs

All-in-One Video Gallery

all-in-one-video-gallery

The ultimate video player & video gallery plugin for YouTubers, Video Bloggers, Course Creators, Podcasters, and anyone embedding videos on websites.

20K 11 CVEs

WP Video Popup – WordPress Video Lightbox for YouTube, Rumble & Vimeo

responsive-youtube-vimeo-popup

100

WP Video Popup lets you add a responsive YouTube, Rumble or Vimeo video lightbox to any page, post or custom post type of your website.

9K No CVEs

Automatic Featured Images from Videos

automatic-featured-images-from-videos

If a YouTube or Vimeo video embed exists near the start of a post, we'll automatically set the post's featured image to a thumbnail of the video.

8K 2 CVEs

Developer Profile

Video List Manager Developer Profile

thanhtungtnt

1 plugin · 100 total installs

trust score

Avg Security Score

22/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Video List Manager

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/video-list-manager/css/skin1/colorbox.css/wp-content/plugins/video-list-manager/css/skin2/colorbox.css/wp-content/plugins/video-list-manager/css/skin3/colorbox.css/wp-content/plugins/video-list-manager/css/skin4/colorbox.css/wp-content/plugins/video-list-manager/css/skin5/colorbox.css/wp-content/plugins/video-list-manager/css/style.css/wp-content/plugins/video-list-manager/js/jquery.colorbox-min.js/wp-content/plugins/video-list-manager/js/custom.js+3 more

Script Paths

/wp-content/plugins/video-list-manager/js/jquery.colorbox-min.js/wp-content/plugins/video-list-manager/js/custom.js/wp-content/plugins/video-list-manager/js/jquery.validate.js/wp-content/plugins/video-list-manager/js/admin.js

Version Parameters

video-list-manager/css/skin1/colorbox.css?ver=video-list-manager/css/skin2/colorbox.css?ver=video-list-manager/css/skin3/colorbox.css?ver=video-list-manager/css/skin4/colorbox.css?ver=video-list-manager/css/skin5/colorbox.css?ver=video-list-manager/css/style.css?ver=video-list-manager/js/jquery.colorbox-min.js?ver=video-list-manager/js/custom.js?ver=video-list-manager/css/admin.css?ver=video-list-manager/js/jquery.validate.js?ver=video-list-manager/js/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

tntVideoListtntVideoItemnoMLvideoLinktntSocialShareTitle32tntIcon32tntFIcon32tntTIcon32+2 more

Data Attributes

data-columns

JS Globals

TNT_JS_URL

Shortcode Output

<div class="tntVideoList"

FAQ