CVE-2025-58843

The Auto Last Youtube Video plugin for WordPress suffers from a Cross-Site Request Forgery (CSRF) vulnerability that facilitates Stored Cross-Site Scripting (XSS). The flaw exists because the plugin fails to validate or sanitize requests made by authenticated users, allowing an attacker to trick a privileged user into performing unintended actions. This issue affects versions from n/a through 1.0.7 [1].

Exploitation requires user interaction: a privileged user must click a malicious link, visit a crafted page, or submit a specially designed form while logged into the WordPress admin area. No direct authentication is needed for the attacker, but the victim must have sufficient privileges to modify plugin settings or content. The attack surface is limited to authenticated users, making it a higher-risk scenario for sites with multiple administrators or editors [1].

If successfully exploited, an attacker can inject arbitrary JavaScript code that gets stored and executed in the context of other users' sessions. This stored XSS can lead to session hijacking, defacement, or further privilege escalation. The CVSS score of 7.1 (High) reflects the combination of low attack complexity, required user interaction, and high impact on integrity and confidentiality [1].

The vendor has been notified, and users are strongly advised to update the plugin to a patched version immediately. If unable to update, website administrators should consider implementing additional security measures such as Web Application Firewall (WAF) rules or disabling the plugin until a fix is applied [1].