{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6262", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-18T23:09:19.136Z", "datePublished": "2025-07-24T09:22:19.019Z", "dateUpdated": "2026-04-08T17:02:03.876Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:02:03.876Z"}, "affected": [{"vendor": "museai", "product": "skiv video embedding", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The muse.ai video embedding plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's muse-ai shortcode in all versions up to, and including, 0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "muse.ai video embedding <= 0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via muse-ai Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/790d6336-0c16-4058-9ddb-d182ef56263c?source=cve"}, {"url": "https://wordpress.org/plugins/muse-ai/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3362049%40muse-ai&new=3362049%40muse-ai&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "timeline": [{"time": "2025-07-23T20:43:52.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-24T13:21:58.652863Z", "id": "CVE-2025-6262", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-24T13:22:16.718Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6262", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-24T13:21:58.652863Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-24T13:22:05.799Z"}}], "cna": {"title": "muse.ai video embedding <= 0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via muse-ai Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "museai", "product": "skiv video embedding", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-23T20:43:52.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/790d6336-0c16-4058-9ddb-d182ef56263c?source=cve"}, {"url": "https://wordpress.org/plugins/muse-ai/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3362049%40muse-ai&new=3362049%40muse-ai&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The muse.ai video embedding plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's muse-ai shortcode in all versions up to, and including, 0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:02:03.876Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6262", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:02:03.876Z", "dateReserved": "2025-06-18T23:09:19.136Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-24T09:22:19.019Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The muse.ai video embedding plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's muse-ai shortcode in all versions up to, and including, 0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento muse.ai video embedding para WordPress es vulnerable a Cross-Site Scripting almacenado a trav\u00e9s del shortcode muse-ai del complemento en todas las versiones hasta la 0.4 incluida, debido a una limpieza de entrada insuficiente y al escape de salida en los atributos proporcionados por el usuario. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-6262", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-24T10:15:26.813", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3362049%40muse-ai&new=3362049%40muse-ai&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/muse-ai/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/790d6336-0c16-4058-9ddb-d182ef56263c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T19:36:14.292665+00:00", "value": {"mitigation_remediation": ["Upgrade the Muse.ai Skiv Video Embedding plugin to the latest version that includes the XSS fix and verify the version number matches a release newer than 0.4.", "If an upgrade is unavailable, remove the muse\u2011ai short\u2011code from all posts or restrict the use of the short\u2011code to administrators only; consider disabling the short\u2011code feature for contributor roles.", "Implement or enable a WordPress security plugin that enforces input sanitisation and output escaping, and regularly review user roles to ensure that only trusted users can create or edit content containing shortcodes."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting via the muse\u2011ai shortcode"}, "threat_synthesis": {"affected_systems": "All WordPress installations running versions of the Muse.ai Skiv Video Embedding plugin up to and including 0.4 are affected. Users of older or unpatched installations should verify the plugin version and update as needed.", "description_and_impact": "The Muse.ai Skiv Video Embedding plugin for WordPress contains a stored XSS flaw that allows an authenticated user with contributor permissions or higher to inject arbitrary JavaScript into the plugin\u2019s short\u2011code attributes. When another user views a page containing the compromised short\u2011code, the injected script runs under that user\u2019s context, enabling defacement, credential theft, or session hijacking. The weakness stems from insufficient input sanitisation and lack of output escaping and is classified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity, but the EPSS score of less than 1% suggests that the likelihood of exploitation is very low in the current landscape. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated contributor\u2011level account and the ability to insert a short\u2011code into a page or post. Once the short\u2011code is stored, the attack becomes a classic stored XSS that can affect any visitor to the compromised page."}}}}, "created": "2025-07-24T21:26:42.270695+00:00", "updated": "2026-04-21T19:45:16.074527+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}