CVE-2025-13849
📋 TL;DR
The Cool YT Player WordPress plugin has a stored XSS vulnerability in the 'videoid' parameter that allows authenticated attackers with Contributor access or higher to inject malicious scripts. These scripts execute automatically when users view compromised pages, potentially affecting all visitors to vulnerable WordPress sites.
💻 Affected Systems
- Cool YT Player WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to malicious sites, deface websites, or perform actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
Attackers with contributor access inject malicious scripts that steal user session cookies or redirect visitors to phishing sites, compromising user accounts and site integrity.
If Mitigated
With proper input validation and output escaping, the vulnerability is eliminated, preventing script injection entirely.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once access is obtained. The vulnerability is well-documented in public sources.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/cool-yt-player
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Cool YT Player' and click 'Update Now'. 4. Alternatively, delete the plugin and install the latest version from WordPress repository.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate cool-yt-player
Remove Contributor Access
allTemporarily restrict contributor-level user creation until patched
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads in videoid parameter
- Apply strict Content Security Policy (CSP) headers to limit script execution sources
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Cool YT Player version 1.0 or earlierCheck Version:
wp plugin list --name=cool-yt-player --field=versionVerify Fix Applied:
Verify plugin version is 1.1 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual videoid parameter values containing script tags or JavaScript in WordPress logs
- Multiple failed login attempts followed by successful contributor login
Network Indicators:
- HTTP requests with suspicious videoid parameter values containing script elements
- Outbound connections to unknown domains from WordPress pages
SIEM Query:
source="wordpress.log" AND (videoid CONTAINS "<script>" OR videoid CONTAINS "javascript:")🔗 References
- https://plugins.trac.wordpress.org/browser/cool-yt-player/tags/1.0/includes/youtube_video_wrapper.php#L58
- https://plugins.trac.wordpress.org/browser/cool-yt-player/trunk/includes/youtube_video_wrapper.php#L58
- https://www.wordfence.com/threat-intel/vulnerabilities/id/590bdf82-8006-4729-96e5-42b0d1552d19?source=cve
