Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kwiliarty External Video For Everybody external-video-for-everybody allows Stored XSS.This issue affects External Video For Everybody: from n/a through <= 2.1.1.
Published: 2025-02-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a Stored Cross‑Site Scripting flaw in the External Video For Everybody WordPress plugin (versions up to 2.1.1). It allows an attacker who can inject content into the plugin to persist malicious JavaScript that is then rendered in the browsers of site visitors. Such injected code can hijack user sessions, steal credentials, or deface the site. The flaw is categorized under CWE‑79.

Affected Systems

The affected product is the External Video For Everybody plugin developed by kwiliarty, a WordPress plugin used to embed and manage external videos. Versions through and including 2.1.1 are vulnerable; any WordPress site that has installed this plugin and has not updated beyond 2.1.1 is at risk.

Risk and Exploitability

The vulnerability has a CVSS score of 6.5 and an EPSS score of less than 1%, indicating a moderate severity but a low likelihood of exploitation. It is not listed in the CISA KEV catalog. The attack vector is most likely two‑step: first, an attacker must obtain permission to alter content or plugin data, and then triggers the stored payload so it executes in the browsers of ordinary visitors. If successful, the attacker can execute arbitrary client‑side code, compromising confidentiality, integrity, and availability from the perspective of site users.

Generated by OpenCVE AI on May 1, 2026 at 17:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the External Video For Everybody plugin to the latest version that removes the stored XSS flaw (any release newer than 2.1.1).
  • If an immediate upgrade is not feasible, disable or remove the plugin until a patched version is available, or restrict its functionality so that only trusted administrators can modify the content that feeds it.
  • Review user accounts with content‑editing permissions and ensure that only trusted staff have the rights to create or edit posts, plugin settings, or any data that can be rendered on the site.

Generated by OpenCVE AI on May 1, 2026 at 17:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4030 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kwiliarty External Video For Everybody allows Stored XSS. This issue affects External Video For Everybody: from n/a through 2.1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kwiliarty External Video For Everybody allows Stored XSS. This issue affects External Video For Everybody: from n/a through 2.1.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kwiliarty External Video For Everybody external-video-for-everybody allows Stored XSS.This issue affects External Video For Everybody: from n/a through <= 2.1.1.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 07 Feb 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 07 Feb 2025 10:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kwiliarty External Video For Everybody allows Stored XSS. This issue affects External Video For Everybody: from n/a through 2.1.1.
Title WordPress External "Video for Everybody" plugin <= 2.1.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:35.298Z

Reserved: 2025-02-03T13:34:21.524Z

Link: CVE-2025-25097

cve-icon Vulnrichment

Updated: 2025-02-07T14:56:10.185Z

cve-icon NVD

Status : Deferred

Published: 2025-02-07T10:15:15.327

Modified: 2026-04-23T15:25:34.410

Link: CVE-2025-25097

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T17:15:21Z

Weaknesses