CVE-2025-62746 identifies a stored Cross-site Scripting (XSS) vulnerability in the CodeFlavors Featured Video for WordPress & VideographyWP plugin, versions up to 1.0.18. The vulnerability stems from improper neutralization of user-supplied input during web page generation, classified under CWE-79. This flaw allows an attacker with at least low privileges (PR:L) and requiring user interaction (UI:R) to inject malicious scripts that are stored persistently within the plugin's data. When other users or administrators view the affected pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or distribution of malware. The CVSS v3.1 base score is 6.5, reflecting a medium severity with network attack vector (AV:N), low attack complexity (AC:L), and a scope change (S:C) indicating that the vulnerability can affect components beyond the initially vulnerable plugin. Confidentiality, integrity, and availability impacts are all rated low but present. No patches or known exploits are currently available, increasing the importance of proactive mitigation. The vulnerability affects WordPress sites using this plugin, which is commonly deployed for video content management and display. Given WordPress’s widespread use in Europe, particularly for media and marketing websites, this vulnerability poses a tangible risk to organizations relying on this plugin for featured video content.

For European organizations, this vulnerability could lead to unauthorized script execution within trusted websites, compromising user sessions and potentially enabling attackers to steal sensitive information, deface websites, or distribute malware. Organizations with multi-user WordPress environments, such as media companies, marketing agencies, and e-commerce platforms, face increased risk due to the stored nature of the XSS, which can affect multiple users over time. The compromise of administrative accounts via XSS could lead to broader site control loss, data integrity issues, and reputational damage. Additionally, regulatory frameworks like GDPR impose strict requirements on data protection; exploitation of this vulnerability could result in data breaches triggering compliance violations and financial penalties. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits rapidly after public disclosure. The medium severity rating suggests a significant but not critical threat, emphasizing the need for timely mitigation to prevent escalation.

1. Immediately audit WordPress sites to identify installations of the CodeFlavors Featured Video for WordPress & VideographyWP plugin and determine the version in use. 2. Restrict plugin usage to trusted administrators and limit user roles that can input data processed by the plugin. 3. Implement strict input validation and output encoding on all user-supplied data related to the plugin, using security-focused WordPress development best practices. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting this plugin. 5. Monitor logs and user activity for unusual behavior indicative of attempted exploitation, such as unexpected script injections or anomalous user actions. 6. Prepare for rapid deployment of patches or updates once the vendor releases a fix; subscribe to vendor and security mailing lists for timely notifications. 7. Educate site administrators and users about the risks of XSS and safe browsing practices to reduce the likelihood of successful exploitation. 8. Consider temporary disabling or replacing the plugin with alternative solutions if immediate patching is not possible.