The LambertGroup Multimedia Playlist Slider Addon for WPBakery Page Builder (up to version 2.1) contains a reflected Cross-site Scripting (XSS) vulnerability identified as CVE-2025-30626. This vulnerability is due to improper neutralization of input during web page generation in the lbg_vp_youtube_vimeo_addon_visual_composer component. Exploitation requires user interaction (UI:R) and can be performed remotely (AV:N) without privileges (PR:N). The vulnerability has a CVSS 3.1 base score of 7.1, indicating high severity with impacts on confidentiality, integrity, and availability.

Successful exploitation of this reflected XSS vulnerability can allow an attacker to execute arbitrary scripts in the context of the victim's browser session. This may lead to partial disclosure of sensitive information, modification of web content, or disruption of service. The CVSS vector indicates low attack complexity and no required privileges, increasing the risk of exploitation. However, no known exploits are currently reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or limiting use of the affected addon. Applying web application firewall (WAF) rules to detect and block reflected XSS attempts may provide temporary mitigation. Monitor LambertGroup communications for updates and apply patches promptly once available.