Description
Cross-Site Request Forgery (CSRF) vulnerability in forsgren Video Embedder video-embedder allows Stored XSS.This issue affects Video Embedder: from n/a through <= 1.7.1.
Published: 2025-03-28
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WordPress Video Embedder plugin contains a CSRF vulnerability that allows an attacker to submit a request on behalf of an authenticated user to store arbitrary JavaScript. The stored script is later rendered as part of a video embed, resulting in stored cross‑site scripting. The primary impact is that an attacker can execute scripts in the victim’s browser, enabling session hijacking, defacement, or data exfiltration.

Affected Systems

This issue affects the Video Embedder plugin provided by forsgren and impacts all versions from the initial release up to and including 1.7.1.

Risk and Exploitability

The CVSS score of 7.1 indicates a serious threat, but the EPSS score is less than 1%, suggesting that active exploitation in the wild is currently unlikely. The vulnerability is not listed in CISA’s KEV catalog. Attackers would need a way to trick a logged‑in administrator into visiting a crafted URL or form submission that triggers the CSRF action. Once executed, the stored script can run whenever that embedded video is displayed, providing persistent cross‑site scripting capabilities.

Generated by OpenCVE AI on May 1, 2026 at 03:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Video Embedder plugin to the latest version (≥ 1.7.2) to eliminate the CSRF vector and ensure input is properly sanitized.
  • If an update cannot be applied immediately, disable the plugin or restrict access to its administrative pages so that no authenticated user can trigger the vulnerable endpoint.
  • Add a CSRF nonce to all form submissions that modify stored video data and validate the token on the server side.
  • Sanitize all user‑supplied content before rendering to prevent script tags or executable code from being stored.

Generated by OpenCVE AI on May 1, 2026 at 03:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8593 Cross-Site Request Forgery (CSRF) vulnerability in forsgren Video Embedder allows Stored XSS. This issue affects Video Embedder: from n/a through 1.7.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in forsgren Video Embedder allows Stored XSS. This issue affects Video Embedder: from n/a through 1.7.1. Cross-Site Request Forgery (CSRF) vulnerability in forsgren Video Embedder video-embedder allows Stored XSS.This issue affects Video Embedder: from n/a through <= 1.7.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 28 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 28 Mar 2025 12:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in forsgren Video Embedder allows Stored XSS. This issue affects Video Embedder: from n/a through 1.7.1.
Title WordPress Video Embedder plugin <= 1.7.1 - Cross Site Request Forgery (CSRF) to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:07.779Z

Reserved: 2025-03-28T11:00:51.876Z

Link: CVE-2025-31458

cve-icon Vulnrichment

Updated: 2025-03-28T13:35:35.997Z

cve-icon NVD

Status : Deferred

Published: 2025-03-28T12:15:18.543

Modified: 2026-04-23T15:27:51.913

Link: CVE-2025-31458

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T03:30:07Z

Weaknesses