Description
The Video Url plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'id' parameter in all versions up to, and including, 1.0.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2025-04-02
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The Video Url WordPress plugin contains a reflected XSS flaw that allows arbitrary script injection via the 'id' query parameter. An unauthenticated attacker can craft a malicious link that, when visited by a user, causes the browser to execute the injected script in the context of the site.

Affected Systems

WordPress installations that have the Video Url plugin installed in any version up to and including 1.0.0.3 are affected. Sites running older releases that have not applied the fix remain vulnerable.

Risk and Exploitability

The CVSS base score is 6.1, indicating moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation at present. This vulnerability is not listed in the CISA KEV catalog. Exploitation requires only an unauthenticated user to click a crafted URL; no authentication or administrative privileges are needed.

Generated by OpenCVE AI on April 22, 2026 at 01:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Video Url plugin to the latest released version, removing the vulnerability.
  • If an immediate update is not possible, uninstall or disable the plugin to eliminate the attack vector.
  • As a temporary defense, implement input validation or sanitization on the 'id' parameter to ensure any reflected output is properly escaped.

Generated by OpenCVE AI on April 22, 2026 at 01:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9545 The Video Url plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'id' parameter in all versions up to, and including, 1.0.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
History

Wed, 02 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 02 Apr 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Video Url plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'id' parameter in all versions up to, and including, 1.0.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title Video Url <= 1.0.0.3 - Reflected Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:54:36.047Z

Reserved: 2025-04-01T14:55:45.262Z

Link: CVE-2025-3098

cve-icon Vulnrichment

Updated: 2025-04-02T14:46:54.331Z

cve-icon NVD

Status : Deferred

Published: 2025-04-02T10:15:20.177

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3098

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:45:05Z

Weaknesses