CVE-2025-23947: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the M.J WP-Player WordPress plugin, identified as CVE-2025-23947. The vulnerability affects versions through 2.6.1 of the WP-Player plugin and was initially reported by researcher SOPROBRO on December 29, 2024, with public disclosure following on January 16, 2025 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 score of 6.5 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires contributor-level privileges or higher to exploit (NVD).

If exploited, this vulnerability could allow malicious actors to inject harmful scripts, including redirects and unwanted advertisements, into the website. These malicious payloads would be executed when visitors access the affected site (Patchstack).

As of the disclosure date, no official fix has been released for this vulnerability. Given the low severity impact and unlikely exploitation potential, virtual patching through security plugins or web application firewalls might be considered as temporary mitigation measures (Patchstack).