The Multi Video Box plugin for WordPress, developed by skustes, suffers from a reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-2484. This vulnerability stems from improper neutralization of input during web page generation, specifically involving the 'video_id' and 'group_id' URL parameters. Versions up to and including 1.5.2 fail to adequately sanitize and escape these inputs, allowing attackers to inject arbitrary JavaScript code. Because the vulnerability is reflected, the malicious script is embedded in a crafted URL that, when visited by a user, executes in their browser context. The attack requires no authentication but does require user interaction, such as clicking a malicious link. The vulnerability impacts the confidentiality and integrity of user data by enabling session hijacking, credential theft, or phishing attacks. The CVSS 3.1 base score is 6.1, indicating a medium severity level, with an attack vector of network, low attack complexity, no privileges required, user interaction needed, and scope changed due to potential impact beyond the vulnerable component. No patches or official fixes have been published yet, and no known exploits are reported in the wild. The vulnerability is classified under CWE-79, which is a common and well-understood web application security flaw. Given the widespread use of WordPress and the popularity of video-related plugins, this vulnerability poses a significant risk to websites using Multi Video Box, especially those with high user traffic or sensitive user data.

The primary impact of CVE-2025-2484 is on the confidentiality and integrity of users interacting with vulnerable websites. Attackers can steal session cookies, perform actions on behalf of users, or redirect users to malicious sites, facilitating phishing or malware distribution. Although availability is not directly affected, the reputational damage and potential data breaches can have severe consequences for organizations. This vulnerability can be exploited remotely without authentication, increasing its risk profile. Organizations relying on the Multi Video Box plugin for video content delivery may face increased risk of account compromise, data leakage, and loss of user trust. Additionally, attackers could leverage this vulnerability as a foothold for further attacks within the affected network. The lack of a patch and known exploits in the wild suggests a window of exposure that organizations must address proactively. The scope of affected systems is broad, as all plugin versions up to 1.5.2 are vulnerable, and WordPress powers millions of websites globally.

To mitigate CVE-2025-2484, organizations should immediately audit their WordPress installations to identify the presence of the Multi Video Box plugin and its version. Until an official patch is released, consider disabling or uninstalling the plugin to eliminate exposure. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'video_id' and 'group_id' parameters. Employ Content Security Policy (CSP) headers to restrict script execution sources, reducing the impact of injected scripts. Educate users and administrators about the risks of clicking untrusted links, especially those containing suspicious URL parameters. Developers maintaining the plugin should apply proper input validation and output encoding techniques, such as using WordPress’s built-in escaping functions (e.g., esc_attr(), esc_html()) on all user-controllable inputs. Regularly monitor web server logs and security alerts for signs of exploitation attempts. Finally, maintain an incident response plan to quickly address any detected compromise related to this vulnerability.