CVE-2025-58843 is a high-severity vulnerability classified as CWE-352, indicating a Cross-Site Request Forgery (CSRF) flaw in the 'Auto Last Youtube Video' plugin developed by David Merinas. This vulnerability affects versions up to 1.0.7 of the plugin. The core issue arises because the plugin does not adequately verify the authenticity of requests made to it, allowing an attacker to trick an authenticated user into submitting unwanted actions on their behalf. The vulnerability is further compounded by the presence of Stored Cross-Site Scripting (XSS), meaning that malicious scripts can be permanently injected and stored within the application via the CSRF attack vector. This combination allows attackers to execute arbitrary scripts in the context of the victim’s browser, potentially stealing sensitive information, hijacking sessions, or performing unauthorized actions. The CVSS 3.1 base score of 7.1 reflects a high severity, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component, and impacts confidentiality, integrity, and availability to a low degree each (C:L/I:L/A:L). No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is significant because the plugin is likely used in WordPress or similar CMS environments to automatically display the latest YouTube video, a common feature on many websites. The stored XSS combined with CSRF can lead to persistent compromise of site visitors and administrators, enabling further exploitation or defacement.

For European organizations, especially those running WordPress or similar CMS platforms with the 'Auto Last Youtube Video' plugin installed, this vulnerability poses a notable risk. The stored XSS payloads enabled via CSRF can lead to session hijacking, credential theft, or unauthorized administrative actions, potentially compromising entire websites. This can result in data breaches, reputational damage, and service disruption. Organizations in sectors such as media, education, and small-to-medium enterprises that rely on embedded YouTube content for engagement are particularly vulnerable. Given the plugin’s likely widespread use in Europe, exploitation could affect customer trust and compliance with GDPR if personal data is exposed. The requirement for user interaction (e.g., visiting a malicious link) means targeted phishing campaigns could be used to exploit this vulnerability, increasing risk to employees and customers. The changed scope indicates that the impact could extend beyond the plugin itself, affecting other components or data within the web application environment.

1. Immediate audit of all websites using the 'Auto Last Youtube Video' plugin to identify affected versions (up to 1.0.7). 2. Disable or remove the plugin until a security patch is released. 3. Implement Web Application Firewall (WAF) rules to detect and block CSRF and XSS attack patterns targeting this plugin’s endpoints. 4. Enforce strict Content Security Policy (CSP) headers to mitigate the impact of stored XSS by restricting script execution sources. 5. Educate users and administrators about phishing risks and the importance of not clicking suspicious links that could trigger CSRF attacks. 6. Monitor web server and application logs for unusual POST requests or suspicious activity related to the plugin. 7. Once a patch is available, promptly apply updates and verify the fix. 8. Consider implementing anti-CSRF tokens and input sanitization in custom or alternative plugins to prevent similar vulnerabilities. 9. Conduct regular security assessments and penetration testing focusing on web application vulnerabilities including CSRF and XSS.