CVE-2025-31458
Published: 28 March 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-31458 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the forsgren Video Embedder (video-embedder) WordPress plugin that enables Stored Cross-Site Scripting (XSS). The vulnerability affects all versions of the plugin from n/a through 1.7.1. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low attack complexity, and scope change despite requiring user interaction.
An unauthenticated attacker (PR:N) can exploit this over the network by tricking an authenticated user, such as a site administrator, into visiting a malicious webpage or clicking a crafted link (UI:R). The CSRF request would then submit malicious input to the plugin, storing an XSS payload that executes in the context of other users viewing affected content. Successful exploitation yields low impacts on confidentiality, integrity, and availability but with changed scope, potentially allowing session hijacking, data theft, or further site compromise.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/video-embedder/vulnerability/wordpress-video-embedder-plugin-1-7-1-cross-site-request-forgery-csrf-to-stored-xss-vulnerability?_s_id=cve) documents the vulnerability in detail for the WordPress Video Embedder plugin version 1.7.1.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CSRF to stored XSS in public-facing WordPress plugin directly enables T1190; resulting XSS facilitates T1185 for session hijacking and data theft as noted in impacts.