CVE-2025-22554: 
WordPress vulnerability analysis and mitigation

The Video Embed Optimizer WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-22554) affecting versions up to and including 1.0.0. The vulnerability was discovered by SOPROBRO and publicly disclosed on January 7, 2025. The issue stems from insufficient input sanitization and output escaping in the plugin (WPScan, Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The issue requires an authenticated user with contributor-level access or higher to exploit (NVD, WPScan).

When successfully exploited, this vulnerability allows authenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses the injected page. This could enable attackers to perform various malicious actions including redirects, injecting advertisements, and executing other HTML payloads on the target website (Patchstack).

Currently, there is no official fix available for this vulnerability. The issue affects Video Embed Optimizer plugin version 1.0.0 and below (Patchstack).