CVE-2025-62746 in Featured Video & VideographyWP Plugin
Summary
by MITRE • 12/30/2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeFlavors Featured Video for WordPress & VideographyWP allows Stored XSS.This issue affects Featured Video for WordPress & VideographyWP: from n/a through 1.0.18.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 12/30/2025
This vulnerability represents a critical cross-site scripting flaw that enables attackers to inject malicious scripts into web pages viewed by other users. The issue resides within the CodeFlavors Featured Video for WordPress & VideographyWP plugin, specifically in how it processes and renders user input during web page generation. The vulnerability allows for stored cross-site scripting attacks, meaning that malicious code injected by an attacker can persist in the application's database and execute whenever affected pages are loaded by other users. This particular weakness falls under the CWE-79 category of Cross-site Scripting, which is one of the most prevalent and dangerous web application vulnerabilities. The affected versions range from the initial release through 1.0.18, indicating that the flaw has existed for some time and has not been properly addressed in the plugin's input sanitization mechanisms.
The technical implementation of this vulnerability stems from inadequate validation and sanitization of user-supplied data within the plugin's video embedding and display functionality. When users input video URLs or related metadata through the WordPress admin interface, the plugin fails to properly neutralize potentially malicious input before storing it in the database and subsequently rendering it on web pages. This failure creates a persistent vector for attackers to inject JavaScript code that can execute in the context of other users' browsers. The stored nature of this vulnerability means that even if an attacker's initial injection is not immediately executed, the malicious payload remains embedded in the system and can be triggered whenever the affected pages are accessed. The vulnerability's impact is amplified because WordPress sites typically have numerous users who may view the affected content, creating a wide potential attack surface.
The operational consequences of this vulnerability extend beyond simple script execution, as it can enable attackers to perform a wide range of malicious activities including session hijacking, data theft, redirection to malicious sites, and even privilege escalation within the affected WordPress environment. Attackers can leverage this vulnerability to steal administrator credentials, modify content, or redirect users to phishing sites that can harvest sensitive information. The persistence of stored XSS makes this vulnerability particularly dangerous as it can remain active for extended periods without detection, especially if site administrators are unaware of the specific plugin that contains the flaw. This type of vulnerability directly aligns with ATT&CK technique T1566.001 for Phishing and T1566.002 for Spearphishing via Service, as attackers can craft malicious payloads that appear legitimate to end users. The vulnerability also contributes to broader security risks within WordPress ecosystems, as compromised sites can become part of botnets or be used as launching points for further attacks against connected systems.
Mitigation strategies for this vulnerability must address both immediate remediation and long-term prevention measures. The most critical step is to update the affected plugin to a version that properly sanitizes user input and implements proper output encoding for all dynamic content. Administrators should also implement additional security measures such as content security policies that restrict script execution and monitor for suspicious input patterns. Regular security audits of installed WordPress plugins are essential, as many vulnerabilities like this one remain undetected for extended periods. The implementation of web application firewalls can provide an additional layer of protection by filtering malicious payloads before they can be processed by the vulnerable plugin. Security monitoring should include checking for unusual patterns in user-generated content and implementing automated scanning tools that can detect stored XSS vulnerabilities in web applications. Organizations should also consider implementing principle of least privilege access controls to limit the potential damage from successful exploitation of this vulnerability.