{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8072", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-23T04:28:53.260Z", "datePublished": "2026-01-28T05:30:17.520Z", "dateUpdated": "2026-04-08T16:42:50.401Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:42:50.401Z"}, "affected": [{"vendor": "nebojsadabic", "product": "Target Video Easy Publish", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.8.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Target Video Easy Publish plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018placeholder_img\u2019 parameter in all versions up to, and including, 3.8.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Target Video Easy Publish <= 3.8.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via placeholder_img Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26e16dd3-66bc-4174-acc1-ee22713ae979?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/brid-video-easy-publish/tags/3.8.6/lib/BridShortcode.php#L204"}, {"url": "https://wordpress.org/plugins/brid-video-easy-publish/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3437514/brid-video-easy-publish/trunk/lib/BridShortcode.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "timeline": [{"time": "2025-08-11T14:27:45.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-27T17:12:45.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T20:52:27.988207Z", "id": "CVE-2025-8072", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T20:52:34.353Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8072", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T20:52:27.988207Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T20:52:31.552Z"}}], "cna": {"title": "Target Video Easy Publish <= 3.8.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via placeholder_img Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "nebojsadabic", "product": "Target Video Easy Publish", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.8.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-11T14:27:45.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-27T17:12:45.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26e16dd3-66bc-4174-acc1-ee22713ae979?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/brid-video-easy-publish/tags/3.8.6/lib/BridShortcode.php#L204"}, {"url": "https://wordpress.org/plugins/brid-video-easy-publish/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3437514/brid-video-easy-publish/trunk/lib/BridShortcode.php"}], "descriptions": [{"lang": "en", "value": "The Target Video Easy Publish plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018placeholder_img\u2019 parameter in all versions up to, and including, 3.8.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:42:50.401Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8072", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:42:50.401Z", "dateReserved": "2025-07-23T04:28:53.260Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-28T05:30:17.520Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Target Video Easy Publish plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018placeholder_img\u2019 parameter in all versions up to, and including, 3.8.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Target Video Easy Publish para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del par\u00e1metro 'placeholder_img' en todas las versiones hasta la 3.8.8, inclusive, debido a una sanitizaci\u00f3n insuficiente de la entrada y un escape de la salida inadecuado. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador o superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2025-8072", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-28T06:15:48.980", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/brid-video-easy-publish/tags/3.8.6/lib/BridShortcode.php#L204"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3437514/brid-video-easy-publish/trunk/lib/BridShortcode.php"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/brid-video-easy-publish/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26e16dd3-66bc-4174-acc1-ee22713ae979?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T15:35:30.675020+00:00", "value": {"mitigation_remediation": ["Upgrade the Target Video Easy Publish plugin to the latest available version, where the placeholder_img input is properly sanitized.", "If upgrading is not immediately possible, limit or revoke Contributor and higher roles from users who do not require them to manage the plugin.", "Implement a custom filter to remove or escape the placeholder_img parameter before it is stored, ensuring that any injected scripts are neutralized."], "summary": {"action": "Patch", "impact": "Stored cross\u2011site scripting via Contributor\u2011level access"}, "threat_synthesis": {"affected_systems": "WordPress installations that have the Target Video Easy Publish plugin version 3.8.8 or earlier. Any site using this plugin up to that release is susceptible, regardless of theme or other plugins.", "description_and_impact": "The Target Video Easy Publish plugin allows authenticated users with Contributor or higher privileges to store arbitrary JavaScript through the placeholder_img parameter, because the input is not properly sanitized or escaped. When the affected content is viewed, the injected script runs in the context of the site, enabling typical XSS consequences such as session hijacking, defacement, or the loading of malicious resources. The vulnerability is a classic insecure input handling (CWE\u201179) that compromises the confidentiality, integrity, and availability of the site users' browsers. Based on the description, the attack vector is an authenticated session\u2014any contributor can perform the injection without the need for additional privileges.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity, but the EPSS score of less than 1% shows a low probability of exploitation at present. The issue is not listed in the CISA KEV catalog. Because the flaw requires authenticated Contributor+ access, the potential impact is constrained to sites where such roles are present, yet it still poses a significant risk to any user who views the stored content. None of the references indicate a publicly available exploit, but the nature of XSS makes this vulnerability a likely target for automated attack scripts if an attacker gains legitimate Contributor privilege."}}}}, "created": "2026-01-28T12:21:43.003570+00:00", "updated": "2026-04-22T15:45:20.868952+00:00", "vendors": ["nebojsadabic", "nebojsadabic$PRODUCT$target_video_easy_publish", "wordpress", "wordpress$PRODUCT$wordpress"]}