Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-52776

CVE-2025-52776: Video List Manager Stored XSS Vulnerability

CVE-2025-52776 is a stored cross-site scripting flaw in Video List Manager plugin versions up to 1.7 that allows attackers to inject malicious scripts. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-52776 Overview

CVE-2025-52776 is a stored Cross-Site Scripting (XSS) vulnerability in the Video List Manager WordPress plugin developed by thanhtungtnt. The flaw stems from improper neutralization of user-supplied input during web page generation [CWE-79]. Affected versions include all releases up to and including 1.7. Attackers can inject persistent JavaScript payloads that execute in the browsers of users viewing the affected pages. The vulnerability requires user interaction and is exploitable over the network without authentication, with the scope changing to impact resources beyond the vulnerable component.

Critical Impact

Stored XSS payloads persist in the WordPress database and execute in the context of any user viewing the affected pages, enabling session theft, administrative account takeover, and content manipulation.

Affected Products

  • thanhtungtnt Video List Manager plugin for WordPress
  • All versions from initial release through 1.7
  • WordPress sites with the video-list-manager plugin installed and active

Discovery Timeline

  • 2025-07-04 - CVE-2025-52776 published to the National Vulnerability Database
  • 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2025-52776

Vulnerability Analysis

The vulnerability is a stored Cross-Site Scripting flaw in the Video List Manager plugin. The plugin fails to properly neutralize input submitted through its administrative or content interfaces before rendering it back into web pages. Attackers can supply HTML or JavaScript content that the application stores in the WordPress database and serves to subsequent visitors without sanitization or output encoding.

Because the scope changes when the payload executes, the injected script can interact with browser resources outside the vulnerable plugin context. The required user interaction is typically satisfied when an administrator or visitor loads a page that renders the malicious entry.

Root Cause

The root cause is missing or insufficient input sanitization and output encoding [CWE-79]. The plugin accepts user-controlled data fields tied to video list entries and writes them into HTML output without applying WordPress escaping functions such as esc_html(), esc_attr(), or wp_kses(). Any untrusted markup persists in the database and is rendered verbatim.

Attack Vector

Exploitation requires network access and a user action such as visiting a page that renders the stored payload. An attacker with contributor-level access, or one able to coerce a privileged user into submitting attacker-controlled data, can plant a JavaScript payload into a video list entry. When an administrator subsequently loads the affected page, the script executes in their session. Refer to the Patchstack WordPress Vulnerability Report for additional technical details.

Detection Methods for CVE-2025-52776

Indicators of Compromise

  • Unexpected <script>, <iframe>, or event handler attributes (onerror, onload) stored in WordPress wp_posts or plugin-specific tables related to video-list-manager.
  • Outbound HTTP requests from administrator browsers to unknown domains shortly after loading plugin-managed pages.
  • New or modified administrator accounts and unexpected REST API calls originating from authenticated admin sessions.

Detection Strategies

  • Audit database entries created by the video-list-manager plugin for HTML tags, JavaScript keywords, or encoded payloads such as javascript:, String.fromCharCode, or atob(.
  • Deploy a Web Application Firewall (WAF) rule that inspects POST submissions to plugin endpoints for XSS signatures.
  • Review web server access logs for repeated requests to the plugin admin endpoints from low-privilege accounts.

Monitoring Recommendations

  • Monitor WordPress administrator session activity for anomalous actions performed immediately after viewing plugin pages.
  • Alert on creation of new privileged users, plugin installations, or theme edits following access to video list content.
  • Track Content Security Policy (CSP) violation reports if a restrictive CSP is enforced on the WordPress site.

How to Mitigate CVE-2025-52776

Immediate Actions Required

  • Deactivate and remove the Video List Manager plugin until a patched version above 1.7 is released by the vendor.
  • Audit all existing video list entries and purge any content containing script tags, event handlers, or suspicious encoded strings.
  • Rotate WordPress administrator credentials and invalidate active sessions if exploitation is suspected.

Patch Information

At the time of this writing, no fixed version above 1.7 has been published in the referenced advisory. Monitor the Patchstack WordPress Vulnerability Report and the plugin's WordPress.org page for an official update.

Workarounds

  • Restrict access to plugin administrative endpoints using IP allowlisting or HTTP authentication at the web server layer.
  • Enforce a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted origins.
  • Limit user roles able to create or edit video list entries to fully trusted administrators only.
  • Deploy a virtual patching rule in a WAF such as Wordfence, Patchstack, or ModSecurity to block XSS payloads targeting video-list-manager endpoints.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne