CVE-2025-62143

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 16:15 nvd
N/A

Tags

WordPress PHP Information Disclosure

Description

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in nicashmu Post Video Players video-playlist-and-gallery-plugin allows Retrieve Embedded Sensitive Data.This issue affects Post Video Players: from n/a through <= 1.163.

Analysis

Post Video Players WordPress plugin through version 1.163 exposes sensitive embedded data to unauthorized users via improper information disclosure mechanisms. The vulnerability allows attackers to retrieve sensitive system information that should be restricted from public access, affecting the plugin's core video playlist and gallery functionality. With an extremely low EPSS score of 0.04%, active exploitation appears minimal despite the information disclosure risk.

Technical Context

The vulnerability stems from CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), which describes improper access controls on sensitive data. The Post Video Players plugin, which handles video playlist and gallery display on WordPress sites, fails to properly restrict access to embedded sensitive data. This likely involves inadequate capability checks or missing nonce verification on functions that expose metadata, configuration, or system information. WordPress plugins are particularly susceptible to this class of vulnerability when they expose database queries, API responses, or file paths without proper authentication or authorization verification.

Affected Products

The Post Video Players plugin (video-playlist-and-gallery-plugin) is affected in all versions from an unspecified initial release through version 1.163. The plugin is hosted on the WordPress plugin repository and serves as a video playlist and gallery tool for WordPress sites. The exact CPE designation would be cpe:2.3:a:nicashmu:post_video_players:*:*:*:*:*:wordpress:*:* with version range <=1.163. According to Patchstack reporting, this vulnerability affects the core plugin distribution available through WordPress.org.

Remediation

Users should update the Post Video Players plugin to a version newer than 1.163 once released by the vendor. Monitor the Patchstack vulnerability database and the official WordPress plugin repository for patched releases. In the interim, website administrators should review plugin configuration and access logs to identify any unauthorized data retrieval attempts and consider temporarily disabling the plugin if the exposed data is particularly sensitive. The primary advisory and vulnerability details are documented at https://patchstack.com/database/Wordpress/Plugin/video-playlist-and-gallery-plugin/vulnerability/wordpress-post-video-players-plugin-1-163-sensitive-data-exposure-vulnerability.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-62143 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy