CVE-2025-13849 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, affecting the Cool YT Player plugin for WordPress, developed by matiasanca. The vulnerability exists in all versions up to and including 1.0 due to improper neutralization of input during web page generation. Specifically, the 'videoid' parameter is not properly sanitized or escaped before being stored and rendered on pages. Authenticated attackers with Contributor-level or higher privileges can exploit this by injecting arbitrary JavaScript code into the 'videoid' parameter. When other users access the infected page, the malicious script executes in their browsers, potentially stealing cookies, session tokens, or performing actions on behalf of the victim. The vulnerability does not require user interaction beyond visiting the compromised page and has a CVSS 3.1 base score of 6.4, indicating medium severity. The attack vector is network-based with low attack complexity, requiring privileges but no user interaction. The scope is changed as the vulnerability affects other users beyond the attacker. No patches are currently linked, and no known exploits have been reported in the wild as of the publication date. This vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those allowing content contributions from authenticated users.

The primary impact of this vulnerability is the potential for stored XSS attacks on WordPress sites using the Cool YT Player plugin. Exploitation can lead to theft of sensitive user information such as authentication cookies or tokens, enabling session hijacking and unauthorized actions. It can also facilitate privilege escalation if administrative users are targeted, allowing attackers to compromise the entire site. Additionally, attackers could deface websites or redirect users to malicious sites, damaging organizational reputation. Since the vulnerability requires Contributor-level access, attackers must first gain some level of authenticated access, which may limit exposure but still poses a significant risk in environments with multiple contributors or weak access controls. The vulnerability affects the confidentiality and integrity of data but does not impact availability. Organizations relying on this plugin for video playback on WordPress sites face risks of data breaches, user trust erosion, and potential regulatory consequences if user data is compromised.

To mitigate this vulnerability, organizations should first check for any available updates or patches from the plugin developer and apply them immediately once released. In the absence of official patches, administrators should consider temporarily disabling or uninstalling the Cool YT Player plugin to eliminate the attack surface. Implement strict access controls to limit Contributor-level permissions only to trusted users and regularly audit user roles and activities. Employ Web Application Firewalls (WAFs) with rules designed to detect and block XSS payloads targeting the 'videoid' parameter. Additionally, sanitize and validate all user inputs at the application level, and implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Monitoring website logs for unusual input patterns or script injections can help detect exploitation attempts. Educate content contributors about the risks of injecting untrusted content and enforce secure coding practices if custom modifications are made to the plugin or site.