CVE-2025-48170

Vulnerability

Overview

The Universal Video Player - Addon for WPBakery Page Builder plugin (WordPress) contains a Reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. The flaw exists in versions up to and including 3.2.1, affecting the plugin's handling of parameters passed in URLs or forms [1]. This allows an attacker to inject arbitrary HTML and JavaScript code into the response page.

Attack

Vector and Exploitation

Exploitation requires user interaction—a privileged user (such as an administrator) must click a crafted link, visit a specially prepared page, or submit a malicious form. The attack can be initiated remotely without authentication, but successful execution depends on the victim performing the action. This class of vulnerability is commonly used in mass-exploit campaigns targeting thousands of websites irrespective of their size or popularity [1].

Impact

If exploited, an attacker can inject malicious scripts that execute in the context of the victim's browser. Potential impacts include redirecting visitors to malicious sites, displaying unauthorized advertisements, stealing session cookies or credentials, or defacing the website. The CVSS v3 base score is 7.1 (High), reflecting the moderate complexity and significant confidentiality/integrity impact [1].

Mitigation

The vendor has released version 3.2.2.0 which resolves the vulnerability. Users are strongly advised to update immediately. If unable to update, applying a mitigation rule (e.g., via Patchstack) can block attacks. The advisory also notes that this vulnerability is expected to be actively exploited in the wild [1].