CVE-2025-25097

Vulnerability

The External Video For Everybody WordPress plugin versions up to and including 2.1.1 contain a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. The plugin fails to sanitize or escape video-related parameters before storing them in the database, allowing malicious scripts to be injected. The plugin has been closed from the WordPress.org directory as of January 8, 2025, due to a security issue [1].

Exploitation

An attacker with contributor-level access or higher (i.e., any user who can create or edit posts) can inject a crafted payload into the video URL or other input fields provided by the plugin. When the stored data is later rendered on a page viewed by other users, the malicious script executes in the context of the victim's browser. No additional user interaction beyond viewing the affected page is required.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browsers of users who visit pages containing the injected content. This can lead to session hijacking, defacement, or redirection to malicious sites. The attack is stored, meaning the payload persists and affects all subsequent visitors.

Mitigation

No patched version is available; the plugin has been removed from the WordPress.org plugin directory and is no longer maintained [1]. Users should immediately uninstall the plugin and replace it with an alternative solution. There is no known workaround. The plugin is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.