CVE-2025-2484: 
WordPress vulnerability analysis and mitigation

The Multi Video Box plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) via the 'videoid' and 'groupid' parameters in all versions up to, and including, 1.5.2. The vulnerability was disclosed on March 22, 2025, and has been assigned CVE-2025-2484. The issue stems from insufficient input sanitization and output escaping in the plugin's functionality (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability exists in the shortcode generation functionality, specifically in the files getshortcode.php for both video and group views (WordPress Plugin, [WordPress Plugin](https://plugins.trac.wordpress.org/browser/multi-video-box/tags/1.5.2/views/video/getshortcode.php#L10)).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. This can lead to potential client-side attacks and compromise of user sessions (NVD).

The plugin has been temporarily closed as of March 18, 2025, pending a full security review. Users are advised to disable and remove the plugin until a security fix is available (WordPress Plugin).