WP-Safety
CVE-2026-45442

The Ultimate Video Player For WordPress – by Presto Player <= 4.1.3 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
4.1.4
Patched in
1d
Time to patch

Description

The The Ultimate Video Player For WordPress – by Presto Player plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.1.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.1.3
PublishedMay 19, 2026
Last updatedMay 19, 2026
Affected pluginpresto-player

What Changed in the Fix

Changes introduced in v4.1.4

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v4.1.3
Browse source Download .zip
Patched v4.1.4
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-45442 ## 1. Vulnerability Summary The **The Ultimate Video Player For WordPress – by Presto Player** plugin (versions <= 4.1.3) is vulnerable to **Missing Authorization**. The vulnerability exists because the plugin registers an action on the `admin_init` hoo…

Show full research plan

Exploitation Research Plan - CVE-2026-45442

1. Vulnerability Summary

The The Ultimate Video Player For WordPress – by Presto Player plugin (versions <= 4.1.3) is vulnerable to Missing Authorization. The vulnerability exists because the plugin registers an action on the admin_init hook that performs a state-changing operation (updating a WordPress option) without sufficient capability checks or nonce verification. This allows unauthenticated attackers to modify site options prefixed with presto_player_dismissed_notice_.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-post.php
  • Hook: admin_init
  • Action: presto_action=dismiss_notices
  • Vulnerable Function: PrestoPlayer\Services\AdminNotices::dismiss()
  • Parameter: presto_notice (Used to determine the option key)
  • Authentication: None required (Unauthenticated).
  • Preconditions: None. admin-post.php triggers the admin_init hook even for unauthenticated users.

3. Code Flow

  1. The plugin's AdminNotices::register() function (in inc/Services/AdminNotices.php) hooks the dismiss() method to admin_init.
  2. When a request is made to /wp-admin/admin-post.php, WordPress initializes the admin environment and fires the
References
https://www.wordfence.com/threat-intel/vulnerabilities/id/bb51676b-4b5b-4cac-934b-b8b12af9dc81?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database