CVE-2025-54016

Vulnerability

Overview

CVE-2025-54016 is a DOM-Based Cross-Site Scripting (XSS) vulnerability in the Videopack plugin (video-embed-thumbnail-generator) for WordPress, affecting versions from n/a through 4.10.3. The root cause is improper neutralization of user-supplied input during web page generation, which allows an attacker to inject and execute arbitrary JavaScript in the context of a victim's browser [1].

Exploitation

Details

Exploitation requires user interaction: a privileged user (e.g., an administrator) must perform an action such as clicking a malicious link, visiting a crafted page, or submitting a specially crafted form. The vulnerability is DOM-based, meaning the payload is processed client-side without being sent to the server, making it harder to detect via traditional server-side filters [1].

Impact

Successful exploitation enables an attacker to inject malicious scripts, including redirects, advertisements, and other HTML payloads. These scripts execute when other users (including site visitors) access the affected page, potentially leading to session hijacking, defacement, or phishing attacks [1].

Mitigation

The vendor has released version 4.10.4 to address this issue. Users are strongly advised to update immediately. According to the advisory, the vulnerability has a low severity impact and is considered unlikely to be exploited, but prompt patching is recommended to prevent potential mass-exploit campaigns [1].