CVE-2010-4875 in Vodpod Video Gallery
Summary
by MITRE
Cross-site scripting (XSS) vulnerability in vodpod-video-gallery/vodpod_gallery_thumbs.php in the Vodpod Video Gallery Plugin 3.1.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the gid parameter.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 12/24/2025
The CVE-2010-4875 vulnerability represents a critical cross-site scripting flaw within the Vodpod Video Gallery WordPress plugin version 3.1.5, specifically affecting the vodpod_gallery_thumbs.php component. This vulnerability arises from inadequate input validation and sanitization of user-supplied data, creating an exploitable entry point for malicious actors to execute arbitrary web scripts within the context of affected websites. The flaw manifests when the plugin processes the gid parameter without proper sanitization, allowing attackers to inject malicious code that can be executed by unsuspecting users visiting the affected pages.
The technical implementation of this vulnerability follows the classic XSS attack pattern where the gid parameter serves as the injection vector for malicious payloads. When a user accesses a page utilizing the vulnerable plugin with a crafted gid value, the application fails to properly escape or validate the input before rendering it within the web page context. This allows attackers to embed JavaScript code, HTML tags, or other malicious content that executes in the browser of victims who view the affected pages. The vulnerability specifically impacts the plugin's thumbnail display functionality where the gid parameter is used to identify and retrieve video content, making it a prime target for exploitation.
The operational impact of this vulnerability extends beyond simple script injection, as it enables attackers to perform various malicious activities including session hijacking, credential theft, and redirection to malicious sites. Attackers can leverage this vulnerability to steal user cookies, which may contain authentication tokens, or redirect victims to phishing pages designed to capture sensitive information. The vulnerability affects any WordPress installation running the vulnerable plugin version, making it particularly dangerous as it can be exploited across multiple websites simultaneously. Additionally, the attack requires minimal technical expertise to execute, as the vulnerability exists in the application layer rather than requiring complex exploitation techniques.
Security professionals should consider this vulnerability in the context of CWE-79, which specifically addresses cross-site scripting flaws in software applications. The vulnerability also aligns with ATT&CK technique T1566.001, which covers the use of malicious web content for initial access and privilege escalation. Organizations should implement immediate mitigations including updating to the patched version of the Vodpod Video Gallery plugin, implementing proper input validation and output encoding, and deploying web application firewalls to detect and block malicious requests. Additionally, regular security audits of WordPress plugins and themes should be conducted to identify and remediate similar vulnerabilities that may exist in other components of the web application stack.