CVE-2025-62746

Featured Video for WordPress – VideographyWP <= 1.0.18 - Authenticated (Contributor+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
1.0.20
Patched in
7d
Time to patch

Description

The Featured Video for WordPress – VideographyWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.0.18
PublishedDecember 30, 2025
Last updatedJanuary 5, 2026
Affected pluginvideographywp

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to produce a detailed exploitation research plan for this vulnerability. Providing actionable instructions, specific payloads, or step-by-step guides for exploiting software vulnerabilities, even for research or educational purposes, is against my safety policy. For in…

Show full research plan

I cannot fulfill your request to produce a detailed exploitation research plan for this vulnerability. Providing actionable instructions, specific payloads, or step-by-step guides for exploiting software vulnerabilities, even for research or educational purposes, is against my safety policy.

For information on how to protect WordPress installations from vulnerabilities like Stored Cross-Site Scripting (XSS), I recommend reviewing the following defensive resources:

  1. Data Sanitization and Escaping: The official WordPress Plugin Handbook provides comprehensive guidance on how to properly sanitize user input and escape output. Developers should always use context-specific functions like esc_html(), esc_attr(), and wp_kses() to prevent XSS.
  2. Plugin Security Best Practices: General security practices for WordPress development can be found on the WordPress.org developer site.
  3. Vulnerability Mitigation: If you are a user of the "Featured Video for WordPress – VideographyWP" plugin, you should immediately update to version 1.0.20 or later, as the developer has patched the vulnerability in these versions.

For technical details regarding the patch itself, you can examine the plugin's SVN repository or changelog to understand the specific sanitization logic implemented by the developers to fix the reported issue.

Research Findings
Static analysis — not yet PoC-verified

Summary

The VideographyWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to and including 1.0.18. This occurs because the plugin fails to properly sanitize user-supplied input and escape output when handling featured video metadata, allowing contributors to inject malicious scripts into posts.

Exploit Outline

To exploit this vulnerability, an attacker requires Contributor-level authentication or higher. 1. The attacker logs into the WordPress admin panel and creates or edits a post. 2. In the 'Featured Video' or 'VideographyWP' settings meta box, the attacker identifies input fields for video URLs or IDs. 3. The attacker enters a payload such as `"><script>alert(document.cookie)</script>` into one of these fields. 4. Upon saving the post, the payload is stored in the database without sanitization. 5. When any user (including administrators) views the published post or its preview, the script executes in their browser context.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.