CVE-2025-58843: Auto Last Youtube Video CSRF Vulnerability

CVE-2025-58843 Overview

CVE-2025-58843 is a Cross-Site Request Forgery (CSRF) vulnerability in the David Merinas Auto Last Youtube Video WordPress plugin (auto-last-youtube-video). The flaw affects all versions through 1.0.7 and enables Stored Cross-Site Scripting (XSS) through forged requests. An attacker can craft a malicious page that, when visited by an authenticated administrator, submits a request to the vulnerable plugin and persists attacker-controlled script content. The stored payload then executes in the browser of any user who loads the affected WordPress page.

Critical Impact
Successful exploitation chains CSRF with Stored XSS, allowing attackers to execute arbitrary JavaScript in the context of WordPress administrators and site visitors, potentially leading to session theft or further account compromise.

Affected Products

David Merinas Auto Last Youtube Video plugin for WordPress
All versions from n/a through 1.0.7
WordPress installations using the auto-last-youtube-video plugin

Discovery Timeline

2025-09-05 - CVE-2025-58843 published to NVD
2026-04-23 - Last updated in NVD database

Technical Details for CVE-2025-58843

Vulnerability Analysis

The vulnerability is classified under [CWE-352] Cross-Site Request Forgery. The Auto Last Youtube Video plugin processes state-changing administrative requests without verifying request origin. The plugin lacks valid anti-CSRF tokens (WordPress nonces) on the affected endpoints, so any authenticated administrator session can be abused by an external page. Because the same handler also fails to sanitize input, attacker-supplied content is stored persistently and rendered as HTML, producing a Stored XSS condition. The attack requires user interaction, since an authenticated administrator must visit an attacker-controlled page or follow a crafted link.

Root Cause

The root cause is missing CSRF protection on plugin configuration endpoints combined with insufficient output encoding. WordPress provides wp_nonce_field() and check_admin_referer() to validate request authenticity, but the affected handler in auto-last-youtube-video does not enforce these checks through version 1.0.7. The absence of nonce validation allows cross-origin form submissions to persist arbitrary values into plugin settings.

Attack Vector

The attack vector is network-based and requires victim interaction. An attacker hosts a malicious page containing a hidden form or JavaScript that auto-submits a POST request to the WordPress admin endpoint for the plugin. When a logged-in administrator visits the page, the browser includes session cookies and the forged request is accepted. The injected JavaScript is stored in plugin settings and executes whenever the affected page renders. See the Patchstack CSRF Vulnerability Advisory for further technical details.

Detection Methods for CVE-2025-58843

Indicators of Compromise

Unexpected <script> tags or event handler attributes stored in auto-last-youtube-video plugin options within the wp_options table.
WordPress access logs showing POST requests to plugin admin endpoints with Referer headers pointing to external domains.
New or modified administrator accounts created shortly after an administrator visited an untrusted site.

Detection Strategies

Audit the wp_options table for entries belonging to the plugin and inspect values for HTML or JavaScript content.
Review web server and WordPress audit logs for state-changing requests to the plugin lacking valid _wpnonce parameters.
Deploy a Web Application Firewall (WAF) rule to flag cross-origin POSTs to /wp-admin/ endpoints associated with the plugin.

Monitoring Recommendations

Monitor administrator browser sessions for unexpected outbound requests originating from WordPress admin pages.
Alert on modifications to plugin configuration values containing characters such as <, >, or javascript:.
Track plugin version inventory across WordPress sites and flag any instance running auto-last-youtube-video at version 1.0.7 or earlier.

How to Mitigate CVE-2025-58843

Immediate Actions Required

Deactivate and remove the Auto Last Youtube Video plugin until a fixed version is confirmed available.
Inspect plugin settings for injected script content and clear any unexpected values.
Force a password reset and session invalidation for all WordPress administrator accounts.

Patch Information

At the time of publication, the vendor advisory indicates the vulnerability affects all versions up to and including 1.0.7, with no patched version identified in the referenced data. Site operators should consult the Patchstack CSRF Vulnerability Advisory for updated remediation guidance.

Workarounds

Remove the auto-last-youtube-video plugin entirely if a vendor patch is not available.
Restrict WordPress administrator access to dedicated browsers or sessions that do not browse untrusted sites.
Deploy a WAF rule to require a valid Referer and _wpnonce on POST requests to /wp-admin/admin.php endpoints handling the plugin.
Apply Content Security Policy (CSP) headers to limit inline script execution on WordPress pages.

bash

# Configuration example: remove the vulnerable plugin via WP-CLI
wp plugin deactivate auto-last-youtube-video
wp plugin delete auto-last-youtube-video