Description
Mine CloudVod plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘audio’ parameter in all versions up to, and including, 2.1.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-07-24
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (arbitrary script execution in users’ browsers)
Action: Patch Now
AI Analysis

Impact

Mine CloudVod plugin for WordPress contains a stored cross‑site scripting flaw caused by insufficient sanitization of the ‘audio’ parameter and lack of output escaping. The vulnerability allows an authenticated user with Contributor or higher privileges to store malicious JavaScript that executes whenever a visitor loads a page containing the injected audio.

Affected Systems

Every installation of Mine CloudVod LMS on WordPress up to and including version 2.1.10 is affected. The issue is resolved in release 2.2.0, which can be confirmed by reviewing the source code at the provided links.

Risk and Exploitability

The flaw carries a CVSS score of 6.4, representing moderate severity, but an EPSS score under 1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in CISA KEV. Successful exploitation requires a Contributor‑level or higher account that can add or edit audio content, so the attack surface is limited to sites where such privileges are granted. Once an attacker injects a script, it runs in the browser context of any user who visits the affected page, creating a cross‑domain code execution risk.

Generated by OpenCVE AI on April 22, 2026 at 01:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mine CloudVod to version 2.2.0 or later to enforce proper input sanitization and output escaping.
  • If upgrading is not immediately possible, restrict Contributor and higher user roles from adding or editing audio files, or temporarily disable the plugin until a patch is applied.
  • Implement a content security policy that blocks inline scripts or confines script execution to trusted domains, and validate the audio parameter on the server side before storing it.

Generated by OpenCVE AI on April 22, 2026 at 01:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-22504 Mine CloudVod plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘audio’ parameter in all versions up to, and including, 2.1.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Thu, 24 Jul 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 24 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 24 Jul 2025 09:30:00 +0000

Type Values Removed Values Added
Description Mine CloudVod plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘audio’ parameter in all versions up to, and including, 2.1.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Mine CloudVod <= 2.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via audio Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:56:19.691Z

Reserved: 2025-07-23T04:17:49.918Z

Link: CVE-2025-8071

cve-icon Vulnrichment

Updated: 2025-07-24T13:34:54.566Z

cve-icon NVD

Status : Deferred

Published: 2025-07-24T10:15:29.610

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8071

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:15:07Z

Weaknesses