CVE-2025-49423

Vulnerability

Overview The Bulk YouTube Post Creator plugin for WordPress (versions up to 1.0) contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. This flaw enables an attacker to inject arbitrary HTML and JavaScript into a page, which is then reflected back to the user.

Exploitation

Exploitation requires a privileged user to perform an action, such as clicking a specially crafted link or visiting a maliciously prepared page. The attack does not require any special network position and can be initiated by any authenticated user with the ability to interact with the plugin. The vulnerability is classified as reflected XSS, meaning the payload is embedded in the request and executed immediately in the browser of the targeted user [1].

Impact

Successful exploitation could allow an attacker to execute arbitrary scripts in the context of the victim's browser. This can lead to session hijacking, redirection to malicious sites, defacement, or injection of ads and other unwanted content. The impact is amplified because the vulnerability is expected to be used in mass-exploit campaigns targeting multiple websites [1].

Mitigation

The vendor has not released a patched version yet, but users can mitigate the risk by applying a virtual security rule from Patchstack until an official update is available. As the plugin is marked as end-of-life, it may not receive a fix, so users are advised to consider replacing the plugin. Immediate action is recommended to prevent exploitation [1].