Description
Cross-Site Request Forgery (CSRF) vulnerability in cmstactics WP Video Posts wp-video-posts allows OS Command Injection.This issue affects WP Video Posts: from n/a through <= 3.5.1.
Published: 2025-02-24
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Cross‑Site Request Forgery flaw in the WP Video Posts plugin allows an attacker to inject OS commands, resulting in remote code execution. The plugin accepts authenticated requests without validating a CSRF token, so a forged request can be delivered to a logged‑in user. Successful exploitation would give the attacker full control over the WordPress site and its underlying server, compromising confidentiality, integrity, and availability.

Affected Systems

The vulnerability affects the WP Video Posts plugin from cmstactics. All versions up to and including 3.5.1 are vulnerable. No other products or variants are listed as affected.

Risk and Exploitability

The CVSS score of 8.3 marks this issue as high severity. The EPSS score of less than 1% indicates that current exploitation probability is low, yet the attack can be carried out by delivering a forged request to an authenticated user. The vulnerability is not listed in the CISA KEV catalog, so no known active exploits have been reported. Nonetheless, the potential for remote code execution makes it a serious risk when the plugin is in use.

Generated by OpenCVE AI on May 2, 2026 at 09:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Force an upgrade to the newest WP Video Posts release that contains the CSRF fix, if such a release exists
  • Disable the WP Video Posts plugin on sites where it is not essential
  • Restrict access to the plugin’s administrative and AJAX endpoints so that only authenticated administrators can reach them, and ensure those endpoints validate a CSRF nonce

Generated by OpenCVE AI on May 2, 2026 at 09:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4337 Cross-Site Request Forgery (CSRF) vulnerability in cmstactics WP Video Posts allows OS Command Injection. This issue affects WP Video Posts: from n/a through 3.5.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in cmstactics WP Video Posts allows OS Command Injection. This issue affects WP Video Posts: from n/a through 3.5.1. Cross-Site Request Forgery (CSRF) vulnerability in cmstactics WP Video Posts wp-video-posts allows OS Command Injection.This issue affects WP Video Posts: from n/a through <= 3.5.1.
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Wed, 12 Mar 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 24 Feb 2025 15:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in cmstactics WP Video Posts allows OS Command Injection. This issue affects WP Video Posts: from n/a through 3.5.1.
Title WordPress WP Video Posts plugin <= 3.5.1 - CSRF to Remote Code Execution (RCE) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:47.565Z

Reserved: 2025-02-21T16:45:27.526Z

Link: CVE-2025-27298

cve-icon Vulnrichment

Updated: 2025-03-12T21:08:12.637Z

cve-icon NVD

Status : Deferred

Published: 2025-02-24T15:15:15.703

Modified: 2026-06-17T09:03:21.517

Link: CVE-2025-27298

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T09:15:26Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)