CVE-2023-0153 in Vimeo Video Autoplay Automute Plugin
Summary
by MITRE • 02/06/2023
The Vimeo Video Autoplay Automute WordPress plugin through 1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/25/2025
The vulnerability identified as CVE-2023-0153 affects the Vimeo Video Autoplay Automute WordPress plugin version 1.0 and earlier, presenting a critical security risk through stored cross-site scripting flaws. This issue arises from inadequate input validation and output escaping mechanisms within the plugin's shortcode implementation, creating an attack vector that can be exploited by users possessing contributor-level permissions or higher. The vulnerability specifically targets the plugin's handling of shortcode attributes, where user-supplied data is not properly sanitized before being rendered back to the page, enabling malicious code execution in the context of the affected WordPress installation.
The technical flaw manifests in the plugin's failure to validate and escape shortcode parameters before incorporating them into HTML output within WordPress posts and pages. When contributors or higher-privileged users embed the plugin's shortcode with malicious attributes, the system stores these unfiltered inputs in the database. Subsequently, when the page containing the shortcode is rendered, the stored malicious code executes within the browser context of any user viewing the affected content, including administrators and other site visitors. This represents a classic stored XSS vulnerability where the payload persists server-side and propagates to end users without requiring repeated exploitation attempts.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers with contributor privileges to compromise the entire WordPress environment through persistent malicious code injection. The stored XSS attack allows for session hijacking, credential theft, privilege escalation, and potential malware distribution to other users. Given that contributors typically have the ability to publish posts and pages, attackers can establish persistent backdoors or execute malicious commands that persist across multiple user sessions. The vulnerability's severity is compounded by the fact that it requires minimal privileges to exploit, making it particularly dangerous in multi-user environments where contributor accounts may be compromised or misused.
Mitigation strategies for CVE-2023-0153 should prioritize immediate plugin updates to versions that address the input validation and output escaping deficiencies. System administrators must implement strict input validation for all user-supplied shortcode parameters, ensuring that any data entering the system undergoes proper sanitization before storage. The implementation should follow established security practices including the use of WordPress's built-in sanitization functions and proper HTML escaping techniques for all dynamic content. Additionally, administrators should consider implementing content security policies to limit the execution of unauthorized scripts, and conduct regular security audits of installed plugins to identify similar vulnerabilities. This vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws, and falls under ATT&CK technique T1548.001 for privilege escalation through malicious content injection. Organizations should also maintain comprehensive backup strategies to ensure quick recovery from potential exploitation and implement monitoring solutions to detect suspicious shortcode usage patterns that may indicate attempted exploitation of similar vulnerabilities.