Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Workbox Workbox Video from Vimeo & Youtube workbox-video-from-vimeo-youtube-plugin allows Reflected XSS.This issue affects Workbox Video from Vimeo & Youtube: from n/a through <= 3.2.2.
Published: 2025-04-11
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw (CWE‑79) in the Workbox Video from Vimeo & Youtube WordPress plugin. User‑supplied input is not properly neutralized before it is sent back to the browser, allowing an attacker to inject malicious JavaScript into the page that a user views. When the script executes, it can steal session data, deface the site, or carry out other client‑side attacks, compromising user confidentiality and site integrity.

Affected Systems

WordPress installations that have the Workbox Video from Vimeo & Youtube plugin version 3.2.2 or earlier are affected. Any site using these versions, whether installed from the WordPress plugin repository or another source, may be exposed.

Risk and Exploitability

The CVSS score of 7.1 classifies this as high severity, but the EPSS score of <1% indicates a low likelihood of exploitation in the wild. The vulnerability is not included in CISA’s KEV catalog. As a reflected XSS, the attacker must be able to influence the victim’s request – typically through a malicious URL or link – which suggests the primary attack vector is user interaction with crafted content. Prompt patching is recommended to reduce the risk of exploitation.

Generated by OpenCVE AI on May 2, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Workbox Video from Vimeo & Youtube plugin to the latest version, 3.2.3 or newer.
  • If an upgrade is not immediately possible, disable or uninstall the plugin to eliminate the exposed surface.
  • Implement server‑side input validation or use WordPress sanitization functions such as wp_kses or sanitize_text_field on query parameters used by the plugin to ensure any reflected data is properly escaped.

Generated by OpenCVE AI on May 2, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10781 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Workbox Workbox Video from Vimeo & Youtube allows Reflected XSS. This issue affects Workbox Video from Vimeo & Youtube: from n/a through 3.2.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Workbox Workbox Video from Vimeo & Youtube allows Reflected XSS. This issue affects Workbox Video from Vimeo & Youtube: from n/a through 3.2.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Workbox Workbox Video from Vimeo & Youtube workbox-video-from-vimeo-youtube-plugin allows Reflected XSS.This issue affects Workbox Video from Vimeo & Youtube: from n/a through <= 3.2.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 11 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 11 Apr 2025 09:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Workbox Workbox Video from Vimeo & Youtube allows Reflected XSS. This issue affects Workbox Video from Vimeo & Youtube: from n/a through 3.2.2.
Title WordPress Workbox Video from Vimeo & Youtube Plugin Plugin <= 3.2.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:23.686Z

Reserved: 2025-04-09T11:19:42.424Z

Link: CVE-2025-32534

cve-icon Vulnrichment

Updated: 2025-04-11T15:30:15.050Z

cve-icon NVD

Status : Deferred

Published: 2025-04-11T09:15:25.230

Modified: 2026-04-23T15:29:03.643

Link: CVE-2025-32534

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T02:30:25Z

Weaknesses