CVE-2025-62142

Vulnerability

Description The Post Video Players plugin for WordPress suffers from a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This issue affects all versions up to and including 1.163.

Exploitation

Exploitation requires an authenticated user with contributor-level access or higher to inject malicious script code into post or page content [1]. The injected script is stored on the server and executed when other users, including site visitors, access the affected page. Successful exploitation depends on a privileged user performing an action, such as clicking a malicious link or visiting a crafted page.

Impact

An attacker can leverage this vulnerability to inject arbitrary JavaScript, which may result in redirections, advertisements, or other HTML payloads [1]. This can compromise the integrity of the website and potentially lead to data theft or further attacks against site visitors.

Mitigation

The vendor has released a patched version of the plugin. Users are strongly advised to update to the latest version immediately [1]. If updating is not possible, consider implementing temporary workarounds such as disabling the plugin or enforcing strict input validation and output encoding.