CVE-2025-31458
Published: 28 March 2025
Summary
CVE-2025-31458 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-31458 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the forsgren Video Embedder (video-embedder) WordPress plugin that enables Stored Cross-Site Scripting (XSS). The vulnerability affects all versions of the plugin from n/a through 1.7.1. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low attack complexity, and scope change despite requiring user interaction.
An unauthenticated attacker (PR:N) can exploit this over the network by tricking an authenticated user, such as a site administrator, into visiting a malicious webpage or clicking a crafted link (UI:R). The CSRF request would then submit malicious input to the plugin, storing an XSS payload that executes in the context of other users viewing affected content. Successful exploitation yields low impacts on confidentiality, integrity, and availability but with changed scope, potentially allowing session hijacking, data theft, or further site compromise.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/video-embedder/vulnerability/wordpress-video-embedder-plugin-1-7-1-cross-site-request-forgery-csrf-to-stored-xss-vulnerability?_s_id=cve) documents the vulnerability in detail for the WordPress Video Embedder plugin version 1.7.1.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8593
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in forsgren Video Embedder video-embedder allows Stored XSS.This issue affects Video Embedder: from n/a through <= 1.7.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF to stored XSS in public-facing WordPress plugin directly enables T1190; resulting XSS facilitates T1185 for session hijacking and data theft as noted in impacts.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 directly mitigates the CSRF vulnerability in the Video Embedder plugin by enforcing session authenticity mechanisms such as anti-CSRF tokens to prevent unauthorized requests from tricking authenticated users.
SI-10 prevents storage of malicious XSS payloads by validating inputs submitted to the plugin via the CSRF attack.
SI-15 filters information outputs from the plugin to block execution of any stored XSS payloads in the context of other users.