CVE-2025-48159

Vulnerability

Overview

The YouTube Vimeo Video Player and Slider WP Plugin for WordPress versions up to and including 3.8 contain a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This flaw enables attackers to inject arbitrary HTML and JavaScript into a page's output, which is then executed in the browser of a victim who visits a specially crafted link [1].

Exploitation

Details

Exploitation requires a privileged user (e.g., an administrator) to be tricked into clicking a malicious link, visiting a crafted page, or submitting a specially constructed form. The attack is reflected, meaning the injected payload does not persist on the server but is delivered and executed immediately via the crafted request. This type of vulnerability is frequently used in mass-exploit campaigns targeting thousands of WordPress sites regardless of size or popularity [1].

Impact

Successful exploitation allows an attacker to inject malicious scripts that can perform actions such as redirecting visitors to attacker-controlled sites, displaying advertisements, or executing arbitrary HTML payloads. This can lead to compromised site integrity, defacement, or theft of sensitive information from users viewing the affected page [1].

Mitigation

The vulnerability is fixed in version 3.9 of the plugin. Users are strongly advised to update to version 3.9 or later immediately. For those unable to update immediately, Patchstack has issued a mitigation rule that can block attacks until the update is applied [1].