CVE-2025-54044

Vulnerability

Overview CVE-2025-54044 is a reflected Cross-Site Scripting (XSS) vulnerability affecting the _CreativeMedia_ Elite Video Player plugin for WordPress, versions 10.0.5 and earlier. The root cause is improper neutralization of user-supplied input during web page generation, enabling an attacker to inject malicious HTML or JavaScript into a response [1].

Exploitation

Requirements Exploitation requires user interaction — the victim must click a crafted link, visit a maliciously prepared page, or submit a specially designed form. The attacker does not need prior authentication; any unauthenticated user can be targeted. Because it is reflected XSS, the injected payload is executed in the context of the victim's browser upon visiting the vulnerable URL [1].

Impact

A successful attack allows the adversary to execute arbitrary scripts in the user's browser. This can lead to session hijacking, defacement, redirection to malicious sites, or injection of advertising and other HTML payloads. Given that this vulnerability is expected to be used in mass-exploit campaigns, it poses a significant risk to all sites running an affected version [1].

Mitigation

The vendor has addressed the issue in version 10.0.7. Users are strongly advised to update immediately. For those unable to upgrade, Patchstack offers a mitigation rule to block attacks until the update is applied. No workarounds other than updating or applying the virtual patch have been publicly documented [1].