CVE-2025-32688

The Target Video Easy Publish plugin for WordPress (brid-video-easy-publish) through version 3.8.9 contains a missing authorization vulnerability [1]. This flaw stems from insufficient access controls on certain plugin functions, allowing unauthenticated or low-privileged users to execute arbitrary WordPress shortcodes [1].

Exploitation requires no special privileges; an attacker only needs to send a crafted request to the WordPress installation [1]. The attack surface is broad because the plugin is widely deployed, and the vulnerability can be chained with other WordPress weaknesses to achieve remote code execution [1].

The impact is critical: a successful attacker can execute arbitrary PHP code on the target server, which may lead to full site compromise, data theft, malware injection, or use of the site in mass-exploit campaigns [1]. Given the simplicity of exploitation and the plugin's popularity, this vulnerability is expected to be widely targeted.

The plugin author has not released a patched version at the time of this advisory; users are urged to immediately disable or remove the plugin until an update is available [1]. If removal is not possible, consult a hosting provider or security professional for temporary mitigation steps.