CVE-2025-13849
Stored XSS in Cool YT Player WordPress Plugin via videoid Parameter
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cool_yt_player | cool_yt_player | to 1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Cool YT Player plugin for WordPress. It occurs via the 'videoid' parameter due to insufficient input sanitization and output escaping. Authenticated attackers with Contributor-level access or higher can inject malicious scripts into pages, which then execute whenever any user accesses those pages.
How can this vulnerability impact me? :
The vulnerability allows attackers to inject arbitrary web scripts that execute in the context of users visiting the affected pages. This can lead to unauthorized actions, data theft, session hijacking, or other malicious activities impacting users and site integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying instances where the 'videoid' parameter in the Cool YT Player WordPress plugin is used to inject malicious scripts. Since the vulnerability is a Stored Cross-Site Scripting (XSS) via the 'videoid' parameter, you can scan your WordPress site for posts or pages containing the shortcode [coolyt] with suspicious or unexpected script tags or encoded payloads in the 'videoid' attribute. There are no specific commands provided in the resources, but a practical approach is to search the WordPress database for occurrences of the shortcode with suspicious content. For example, using a MySQL query to search the wp_posts table for the shortcode with suspicious 'videoid' values: SELECT ID, post_content FROM wp_posts WHERE post_content LIKE '%[coolyt%videoid=%<script>%'; Alternatively, you can use grep or similar tools on exported content to find suspicious script tags within 'videoid' parameters. Since no explicit commands are provided in the resources, this general approach is recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting Contributor-level and above users from injecting untrusted content via the 'videoid' parameter until a patch or update is available. Since the vulnerability arises from insufficient input sanitization and output escaping, applying input validation or sanitization on the 'videoid' parameter before saving or rendering is critical. If an updated version of the Cool YT Player plugin is available that fixes this issue, update to that version immediately. If no update is available, consider disabling or removing the plugin to prevent exploitation. Additionally, review and sanitize existing content that uses the 'videoid' parameter to remove any injected scripts. Implementing Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the 'videoid' parameter can also help mitigate risk. [1]