CVE-2025-5237: 
WordPress vulnerability analysis and mitigation

The Target Video Easy Publish plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-5237) discovered on June 18, 2025. The vulnerability affects all versions up to and including 3.8.5 of the plugin, which is used for inserting TargetVideo videos and playlists into WordPress sites (NVD, Wiz).

The vulnerability stems from insufficient input sanitization and output escaping of the 'width' parameter in the plugin's BridShortcode.php file. It has been assigned a CVSS v3.1 Base Score of 6.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD, Wordfence).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to session hijacking, credential theft, or other client-side attacks (NVD).

The vulnerability has been patched in version 3.8.6 of the Target Video Easy Publish plugin. Users are strongly advised to update to this latest version to protect against potential attacks (WordPress Plugin).