CVE-2025-54016

2025-07-16 [email protected]
WordPress PHP XSS

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kyle Gilman Videopack video-embed-thumbnail-generator allows DOM-Based XSS.This issue affects Videopack: from n/a through <= 4.10.3.

AnalysisAI

DOM-based cross-site scripting (XSS) in Kyle Gilman Videopack plugin for WordPress (versions up to 4.10.3) allows authenticated attackers to inject malicious scripts into video embed pages. The vulnerability improperly neutralizes user input during web page generation, enabling attackers to execute arbitrary JavaScript in the context of affected video pages. No active exploitation has been confirmed, and the EPSS score of 0.04% indicates minimal probability of exploitation.

Technical ContextAI

The vulnerability exists in the video-embed-thumbnail-generator plugin (Videopack), which is a WordPress plugin used to embed and display video content with custom thumbnails. The issue is classified as DOM-based XSS (CWE-79: Improper Neutralization of Input During Web Page Generation), meaning the vulnerability exists in client-side JavaScript code that processes user-controlled input without proper sanitization or escaping. When plugin code directly manipulates the Document Object Model (DOM) using unsanitized user input, attackers can inject arbitrary HTML and JavaScript code that executes in a victim's browser within the security context of the WordPress site.

Affected ProductsAI

Kyle Gilman Videopack (video-embed-thumbnail-generator) plugin for WordPress is affected in all versions from an unspecified starting point through version 4.10.3 inclusive. The vulnerability affects the WordPress plugin ecosystem and any WordPress installations with this plugin installed and activated.

RemediationAI

Update the Videopack plugin to a version newer than 4.10.3 immediately through the WordPress plugin dashboard or by downloading the latest version from the official WordPress plugin repository. According to the Patchstack vulnerability database referenced in the advisory, patch availability should be confirmed via https://patchstack.com/database/Wordpress/Plugin/video-embed-thumbnail-generator/vulnerability/wordpress-videopack-plugin-4-10-3-cross-site-scripting-xss-vulnerability?_s_id=cve. If an update beyond 4.10.3 is not yet available, deactivate and remove the plugin until a patched version is released, and consider using an alternative video embedding solution.

Share

CVE-2025-54016 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy