CVE-2022-50949

MEDIUM

WordPress Plugin Videos sync PDF 1.7.4 Stored XSS

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-50949. PoCs published by UnD3sc0n0c1d0.

AI-analyzed exploit summary The exploit describes a stored XSS vulnerability in the WordPress plugin 'Videos sync PDF' version 1.7.4, where insufficient sanitization of input fields allows injection of malicious JavaScript. The PoC outlines steps to trigger the XSS via plugin settings.

Description

WordPress Plugin Videos sync PDF 1.7.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting unsanitized mov, pdf, mp4, webm, and ogg parameters. Attackers can inject payloads like autofocus onfocus event handlers through the plugin options panel to execute arbitrary JavaScript when administrators view or edit video settings.

Exploits (1)

exploitdb WRITEUP
by UnD3sc0n0c1d0 · textwebappsphp
https://www.exploit-db.com/exploits/50874

The exploit describes a stored XSS vulnerability in the WordPress plugin 'Videos sync PDF' version 1.7.4, where insufficient sanitization of input fields allows injection of malicious JavaScript. The PoC outlines steps to trigger the XSS via plugin settings.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: WordPress Plugin Videos sync PDF 1.7.4
Auth required
Prerequisites: WordPress admin access · Plugin installed and activated
devstral-2 · analyzed May 10, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit exploit
ExploitDB-50874
https://www.exploit-db.com/exploits/50874
Product product
Official Product Homepage
http://www.a-j-evolution.com/
Third Party Advisory third-party-advisory
VulnCheck Advisory: WordPress Plugin Videos sync PDF 1.7.4 Stored XSS
https://www.vulncheck.com/advisories/wordpress-plugin-videos-sync-pdf-stored-xss

Scores

CVSS v3 6.4
EPSS 0.0019
EPSS Percentile 8.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
A-J-Evolution/Videos sync PDF 1.7.4
Published May 10, 2026
Tracked Since May 10, 2026