CVE-2025-4955 in tarteaucitron.io Plugin
Summary
by MITRE • 06/18/2025
The tarteaucitron.io WordPress plugin before 1.9.5 uses query parameters from YouTube oEmbed URLs without sanitizing these parameters correctly, which could allow users with the contributor role and above to perform Stored Cross-site Scripting attacks.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/03/2025
The vulnerability identified as CVE-2025-4955 affects the tarteaucitron.io WordPress plugin version 1.9.4 and earlier, presenting a critical security risk through improper handling of YouTube oEmbed URL parameters. This flaw enables attackers with contributor-level privileges or higher to inject malicious scripts into the plugin's configuration, creating a persistent cross-site scripting vector that can compromise user sessions and data integrity across the affected WordPress installation. The vulnerability stems from the plugin's failure to properly sanitize query parameters extracted from YouTube oEmbed URLs, which are commonly used for embedding video content within WordPress posts and pages.
The technical implementation of this vulnerability involves the plugin's oEmbed processing functionality where it accepts and processes YouTube URLs without adequate input validation or sanitization of the query string parameters. When a contributor or administrator user adds a YouTube video embed using the plugin's interface, the system retrieves the oEmbed data from YouTube's API and stores it in the WordPress database. If malicious parameters are present in the original URL, these parameters are not properly escaped or filtered before being stored, creating a stored XSS vulnerability that persists until manually removed. This issue directly maps to CWE-79 which defines Cross-site Scripting vulnerabilities, specifically the stored variant where malicious scripts are permanently stored on the target server and executed when other users access the affected content.
The operational impact of CVE-2025-4955 extends beyond simple script injection, as it provides attackers with a persistent foothold within WordPress installations that can be exploited for session hijacking, data exfiltration, and privilege escalation. An attacker with contributor access can craft malicious YouTube URLs containing script tags in query parameters such as 'autoplay' or 'controls' that get stored in the plugin's configuration. When other users view posts containing these malicious embeds, the stored scripts execute in their browsers, potentially stealing cookies, redirecting to malicious sites, or performing actions on behalf of authenticated users. This vulnerability aligns with ATT&CK technique T1566.001 for credential access through phishing and T1071.001 for application layer protocol usage, as the attack vector leverages legitimate WordPress functionality to deliver malicious payloads.
Mitigation strategies for CVE-2025-4955 require immediate action to upgrade the tarteaucitron.io plugin to version 1.9.5 or later, which includes proper input sanitization for oEmbed parameters. Administrators should also implement additional security measures including regular monitoring of plugin updates, implementing content security policies to restrict script execution, and conducting thorough audit of existing embed configurations. The WordPress security team recommends that all users with contributor roles or higher should be carefully monitored for suspicious embed activities, and automated scanning tools should be deployed to detect potentially malicious oEmbed configurations. Organizations should also consider implementing Web Application Firewall rules to block suspicious query parameter patterns and establish regular security audits of embedded content to prevent similar vulnerabilities from persisting in other plugins or custom implementations.