The forsgren Video Embedder plugin versions up to 1.7.1 contain a CSRF vulnerability that enables an attacker to inject stored XSS payloads. This occurs because the plugin does not adequately verify the origin of requests, allowing malicious requests to be executed with the privileges of an authenticated user. The vulnerability is network exploitable without privileges but requires user interaction. The impact includes potential confidentiality, integrity, and availability loss due to the stored XSS. No patch or official fix details are currently available.

Successful exploitation of this vulnerability could allow an attacker to execute stored cross-site scripting attacks, potentially leading to session hijacking, defacement, or other malicious actions performed in the context of an authenticated user. The CVSS score of 7.1 indicates a high impact on confidentiality, integrity, and availability. However, there are no known active exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling or limiting use of the Video Embedder plugin or applying any available workarounds from the vendor. Implementing additional CSRF protections at the application or web server level may help mitigate risk temporarily.