Cyber Resilience

CVE-2025-31458

High

Published: 28 March 2025

Published
28 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0026 49.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-31458 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-31458 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the forsgren Video Embedder (video-embedder) WordPress plugin that enables Stored Cross-Site Scripting (XSS). The vulnerability affects all versions of the plugin from n/a through 1.7.1. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low attack complexity, and scope change despite requiring user interaction.

An unauthenticated attacker (PR:N) can exploit this over the network by tricking an authenticated user, such as a site administrator, into visiting a malicious webpage or clicking a crafted link (UI:R). The CSRF request would then submit malicious input to the plugin, storing an XSS payload that executes in the context of other users viewing affected content. Successful exploitation yields low impacts on confidentiality, integrity, and availability but with changed scope, potentially allowing session hijacking, data theft, or further site compromise.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/video-embedder/vulnerability/wordpress-video-embedder-plugin-1-7-1-cross-site-request-forgery-csrf-to-stored-xss-vulnerability?_s_id=cve) documents the vulnerability in detail for the WordPress Video Embedder plugin version 1.7.1.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in forsgren Video Embedder video-embedder allows Stored XSS.This issue affects Video Embedder: from n/a through <= 1.7.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

CSRF to stored XSS in public-facing WordPress plugin directly enables T1190; resulting XSS facilitates T1185 for session hijacking and data theft as noted in impacts.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-23900Shared CWE-352
CVE-2026-29784Shared CWE-352
CVE-2025-25140Shared CWE-352
CVE-2025-23567Shared CWE-352
CVE-2025-31443Shared CWE-352
CVE-2025-31444Shared CWE-352
CVE-2025-22690Shared CWE-352
CVE-2025-26577Shared CWE-352
CVE-2025-30587Shared CWE-352
CVE-2025-23501Shared CWE-352

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 directly mitigates the CSRF vulnerability in the Video Embedder plugin by enforcing session authenticity mechanisms such as anti-CSRF tokens to prevent unauthorized requests from tricking authenticated users.

prevent

SI-10 prevents storage of malicious XSS payloads by validating inputs submitted to the plugin via the CSRF attack.

prevent

SI-15 filters information outputs from the plugin to block execution of any stored XSS payloads in the context of other users.

References