CVE-2025-8072 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Target Video Easy Publish plugin for WordPress, maintained by the vendor nebojsadabic. The vulnerability arises from improper neutralization of input during web page generation, specifically through the 'placeholder_img' parameter. All versions up to and including 3.8.8 are affected due to insufficient input sanitization and lack of output escaping. An attacker with authenticated Contributor-level access or higher can inject arbitrary JavaScript code into pages generated by the plugin. This malicious script is stored persistently and executes in the context of any user who accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and privileges required at the contributor level. The scope is changed (S:C), indicating that the vulnerability affects resources beyond the attacker’s privileges. No user interaction is required for exploitation once the malicious script is injected. There are no known public exploits currently in the wild, and no official patches or updates have been released yet. The vulnerability is categorized under CWE-79, a common web application security weakness related to cross-site scripting. The plugin is used in WordPress environments, which are widely deployed globally, especially in small to medium business websites and content-driven platforms.

The impact of CVE-2025-8072 can be significant for organizations using the Target Video Easy Publish plugin on WordPress sites. Successful exploitation allows an authenticated contributor to inject persistent malicious scripts that execute in the browsers of any users visiting the compromised pages. This can lead to session hijacking, theft of authentication tokens, unauthorized actions performed with the victim’s privileges, defacement, or distribution of malware. Since contributors typically have limited privileges, the initial attacker access vector is somewhat restricted, but the vulnerability enables privilege escalation through client-side attacks. The scope change means that the attacker can affect users beyond their own privileges, increasing the risk to site administrators and visitors. Organizations relying on this plugin for video publishing may face reputational damage, data breaches, and compliance issues if user data is compromised. The lack of patches increases exposure time, and the widespread use of WordPress amplifies the potential attack surface globally.

Until an official patch is released, organizations should implement several specific mitigations: 1) Restrict Contributor-level access strictly to trusted users and review existing contributor accounts for suspicious activity. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'placeholder_img' parameter. 3) Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 4) Monitor logs and user activity for signs of XSS exploitation or anomalous behavior. 5) Disable or remove the Target Video Easy Publish plugin if it is not essential or replace it with a secure alternative. 6) Educate content contributors about safe input practices and the risks of injecting untrusted content. 7) Once available, promptly apply vendor patches or updates addressing this vulnerability. 8) Conduct regular security assessments and penetration tests focusing on plugin vulnerabilities in WordPress environments.