CVE-2025-52771: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in bcupham Video Expander plugin version 1.0 and earlier. The vulnerability was discovered by Chu The Anh (Blue Rock) on May 10, 2025, and was officially published on August 14, 2025. The vulnerability received the identifier CVE-2025-52771 and affects the WordPress Video Expander Plugin through version 1.0 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires Contributor or higher level privileges to exploit (Patchstack).

This vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site. The impact is considered to have low severity but could affect website integrity and user experience (Patchstack).

No official fix is available for this vulnerability. The recommended solution is to remove and replace the software with an alternative, as the plugin is considered abandoned and unlikely to receive future updates or security fixes (Patchstack).