CVE-2025-27298
Published: 24 February 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2025-27298 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, in the cmstactics WP Video Posts WordPress plugin (wp-video-posts). The flaw enables OS Command Injection and affects all versions from n/a through 3.5.1. Published on 2025-02-24, it carries a CVSS v3.1 base score of 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
An unauthenticated attacker can exploit this over the network with no privileges required, though it demands high attack complexity and user interaction, such as tricking an authenticated site visitor into submitting a forged request via a malicious webpage. Successful exploitation allows OS Command Injection, resulting in remote code execution with high impacts across confidentiality, integrity, and availability, while changing the scope of compromise.
The Patchstack advisory provides further details on this CSRF-to-RCE vulnerability in WP Video Posts version 3.5.1, available at https://patchstack.com/database/Wordpress/Plugin/wp-video-posts/vulnerability/wordpress-wp-video-posts-plugin-3-5-1-csrf-to-remote-code-execution-rce-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CSRF vulnerability in public-facing WordPress plugin directly enables exploitation of the web application for initial access (T1190) and facilitates OS command injection leading to RCE via Unix shell commands (T1059.004).