CVE-2025-8072 Overview
CVE-2025-8072 is a stored Cross-Site Scripting (XSS) vulnerability in the Target Video Easy Publish plugin for WordPress, also known as brid-video-easy-publish. The flaw affects all plugin versions up to and including 3.8.8. It originates from insufficient input sanitization and output escaping on the placeholder_img parameter handled in BridShortcode.php. Authenticated users with Contributor-level access or higher can inject arbitrary JavaScript that executes in any visitor's browser when the affected page loads. The issue is classified under CWE-79.
Critical Impact
Authenticated Contributor accounts can inject persistent JavaScript that runs in every visitor's session, enabling session theft, administrator account takeover, and arbitrary redirects.
Affected Products
- Target Video Easy Publish (brid-video-easy-publish) WordPress plugin — all versions ≤ 3.8.8
- WordPress sites permitting Contributor-level registration or higher
- Any WordPress installation using vulnerable plugin builds in BridShortcode.php
Discovery Timeline
- 2026-01-28 - CVE-2025-8072 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-8072
Vulnerability Analysis
The vulnerability lives in the BridShortcode.php file of the Target Video Easy Publish plugin. The shortcode handler accepts a placeholder_img parameter and renders its value into the page output without sufficient sanitization or escaping. Because shortcode attributes can be supplied by any user who can create or edit posts, a Contributor-level account can embed a payload that the plugin emits directly into HTML markup. When a visitor — including administrators reviewing the draft — loads the page, the injected script executes in the visitor's browser context. The change log entry at changeset 3437514 confirms the maintainers added escaping in the vulnerable rendering path.
Root Cause
The root cause is missing output escaping on a user-controllable shortcode attribute. The plugin trusted the placeholder_img value and inserted it into an HTML attribute or image tag without passing it through esc_attr() or esc_url(). WordPress plugin authors are expected to escape late and escape every dynamic value, and the vulnerable code path skipped this step.
Attack Vector
The attack is network-based and requires authentication at Contributor level or above. The attacker creates or edits a post containing the plugin's shortcode and sets placeholder_img to a payload that breaks out of the attribute context — for example, by closing the attribute and adding an onerror handler or a <script> tag. The post does not need to be published; an administrator previewing the submission triggers script execution. Because the payload is stored in the database, every subsequent visitor to the affected page is exposed.
No verified proof-of-concept code is published. See the Wordfence advisory and the vulnerable source line for technical detail.
Detection Methods for CVE-2025-8072
Indicators of Compromise
- Post or page content containing the plugin's shortcode with a placeholder_img attribute holding HTML tags, quote characters, or javascript: URIs.
- Outbound requests from visitor browsers to unfamiliar domains shortly after rendering pages that embed the plugin shortcode.
- New WordPress administrator accounts or modified user roles appearing after a Contributor submitted or edited content.
Detection Strategies
- Search the wp_posts table for shortcode invocations containing suspicious placeholder_img values such as ", <script, onerror=, or javascript:.
- Compare the installed plugin version against 3.8.8 across all managed WordPress instances and flag any at or below that release.
- Review web server access logs for POST requests to /wp-admin/post.php from Contributor-level accounts followed by visits to the resulting page from administrator IPs.
Monitoring Recommendations
- Enable WordPress audit logging to record post edits, role changes, and plugin activity by lower-privileged users.
- Deploy a Content Security Policy that restricts inline scripts and external script sources to limit XSS impact.
- Alert on anomalous JavaScript execution patterns from front-end content, including unexpected fetch calls to /wp-json/wp/v2/users from session contexts.
How to Mitigate CVE-2025-8072
Immediate Actions Required
- Update the Target Video Easy Publish plugin to a version newer than 3.8.8 that includes the fix from changeset 3437514.
- Audit Contributor, Author, and Editor accounts and remove or disable any that are not actively required.
- Scan all existing posts, pages, and custom post types for the plugin's shortcode and review the placeholder_img values for injected markup.
Patch Information
The plugin maintainer addressed the issue in the commit recorded as changeset 3437514 on the brid-video-easy-publish trunk. Administrators should install the latest release available from the plugin developer page. The Wordfence vulnerability record tracks fixed versions and remediation status.
Workarounds
- Deactivate and remove the Target Video Easy Publish plugin until a patched version is installed.
- Restrict the Contributor role with a capability manager so that affected users cannot use shortcodes or rich content blocks.
- Apply a web application firewall rule that blocks requests containing HTML control characters in shortcode parameters such as placeholder_img.
# Configuration example: identify vulnerable plugin installs and locate suspicious shortcode usage
wp plugin get brid-video-easy-publish --field=version
wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content REGEXP 'placeholder_img=\"[^\"]*(<|onerror|javascript:)'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

