CVE-2025-23799 Overview
CVE-2025-23799 is a reflected Cross-Site Scripting (XSS) vulnerability in the tubegtld .TUBE Video Curator WordPress plugin. The flaw affects all plugin versions up to and including 1.1.9. It stems from improper neutralization of user-supplied input during web page generation [CWE-79].
An attacker can craft a malicious URL containing JavaScript payloads. When a victim follows the link, the payload executes in the victim's browser within the context of the vulnerable WordPress site. Successful exploitation can lead to session theft, credential harvesting, and unauthorized actions performed on behalf of the victim.
Critical Impact
Attackers can execute arbitrary JavaScript in a victim's browser session, enabling theft of authentication cookies, redirection to malicious sites, and unauthorized actions against the WordPress site.
Affected Products
- tubegtld .TUBE Video Curator WordPress plugin (tube-video-curator)
- All versions from initial release through 1.1.9
- WordPress sites with the plugin installed and active
Discovery Timeline
- 2025-02-03 - CVE-2025-23799 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-23799
Vulnerability Analysis
The vulnerability is classified as Reflected Cross-Site Scripting under [CWE-79]. The .TUBE Video Curator plugin processes user-controlled input from HTTP request parameters and reflects it directly into rendered HTML output. The plugin fails to apply output encoding or input sanitization before this reflection.
Exploitation requires user interaction. An attacker delivers a crafted link, typically through phishing, social media, or a malicious third-party site. When the victim clicks the link, the WordPress server reflects the attacker's payload into the response. The browser then parses and executes the injected JavaScript under the origin of the vulnerable site.
Because the scope is changed, the impact crosses security boundaries. An attacker can target authenticated administrators to escalate the attack into account takeover or persistent backdoor installation through the WordPress admin interface.
Root Cause
The plugin code accepts request parameters and outputs them into HTML responses without invoking WordPress sanitization functions such as esc_html(), esc_attr(), or wp_kses(). This omission allows raw script content to flow from request to response.
Attack Vector
The attack vector is network-based and requires victim interaction. An attacker constructs a URL pointing to a vulnerable endpoint of the tube-video-curator plugin, appending a parameter containing a script payload. The payload executes when the victim's browser renders the reflected response.
No verified exploit code is publicly available. Technical detail is published in the Patchstack WordPress Vulnerability Database.
Detection Methods for CVE-2025-23799
Indicators of Compromise
- HTTP requests to tube-video-curator plugin endpoints containing URL-encoded <script>, javascript:, onerror=, or onload= substrings in query parameters
- Referer headers from untrusted external domains preceding requests to the plugin's endpoints
- Unexpected outbound requests from administrator browser sessions to attacker-controlled domains following a click on a crafted link
- Web server access logs showing unusually long query strings targeting plugin parameters
Detection Strategies
- Inspect web server and WordPress access logs for requests targeting the tube-video-curator plugin path with suspicious parameter values
- Deploy a Web Application Firewall (WAF) rule set with XSS signature detection for parameters processed by the plugin
- Use browser Content Security Policy (CSP) violation reports to surface unauthorized inline script execution attempts
- Correlate authentication events with anomalous administrator activity that may indicate session hijacking
Monitoring Recommendations
- Forward WordPress and web server logs to a centralized SIEM for retention and search
- Alert on outbound connections from admin user sessions to newly seen external domains
- Monitor changes to WordPress administrator accounts, user roles, and plugin/theme files for signs of post-exploitation activity
- Track plugin version inventory across WordPress sites to identify unpatched installations
How to Mitigate CVE-2025-23799
Immediate Actions Required
- Identify all WordPress installations running the .TUBE Video Curator plugin at version 1.1.9 or earlier
- Deactivate and remove the plugin if a patched release is not yet available or not required
- Rotate WordPress administrator credentials and invalidate active sessions if exploitation is suspected
- Review WordPress audit logs for unauthorized administrative actions during the exposure window
Patch Information
At the time of publication, the vulnerability affects all versions through 1.1.9. Review the Patchstack advisory for the current patch status and upgrade to the latest fixed version when published by the vendor.
Workarounds
- Disable the tube-video-curator plugin until a patched version is verified and installed
- Deploy WAF rules that block request parameters containing HTML or JavaScript tags targeting plugin endpoints
- Enforce a strict Content Security Policy that disallows inline script execution on the WordPress front end
- Restrict administrator access to trusted IP addresses to reduce the blast radius of a successful XSS attack
# Example WAF rule (ModSecurity) to block reflected XSS payloads against the plugin
SecRule REQUEST_URI "@contains /wp-content/plugins/tube-video-curator/" \
"chain,id:1009923,phase:2,deny,status:403,log,msg:'Possible XSS targeting tube-video-curator (CVE-2025-23799)'"
SecRule ARGS "@rx (?i)(<script|javascript:|onerror=|onload=)" "t:none,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
