CVE-2025-58843: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in David Merinas Auto Last Youtube Video plugin through version 1.0.7. The vulnerability was discovered and reported by Nguyen Xuan Chien on June 7, 2025, and was publicly disclosed on September 5, 2025. This security issue has been assigned CVE-2025-58843 and affects the WordPress plugin Auto Last Youtube Video up to version 1.0.7 (Patchstack).

The vulnerability is classified as a Cross-Site Request Forgery (CSRF) that allows for Stored XSS. It has been assigned a CVSS v3.1 base score of 7.1 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The attack vector is Network-based, requires low attack complexity, needs no privileges, but does require user interaction. The vulnerability has been categorized under CWE-352 (Cross-Site Request Forgery) (NVD).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. The CVSS scoring indicates potential impacts on confidentiality, integrity, and availability, all rated as Low, but with a Changed scope that elevates the overall severity (Patchstack).

As there is no official fix available and the software is considered abandoned, the recommended mitigation is to remove and replace the software with an alternative solution. Note that merely deactivating the software does not remove the security threat unless a virtual patch is deployed (Patchstack).