Porn Videos Embed <= 0.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2025-49061 | Plugin Vulnerabilities

Description

The Porn Videos Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 0.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

porn-videos-embed

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/cad57b23-1d0a-4676-a52a-51ae0a13d126

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Kévin Mosbahi (Mika)

Verified

No

WPVDB ID

b6bb3b38-bf31-410e-82d6-70e0770e0466

Timeline

Publicly Published

2025-08-06 (about 7 months ago)

Added

2025-08-11 (about 7 months ago)

Last Updated

2025-08-11 (about 7 months ago)

Other

Published

Title

Published

2025-07-04

Title

My Reservation System <= 2.3 - Reflected XSS

Published

2021-10-18

Title

Microsoft Clarity < 0.4 - Admin+ Stored Cross-Site Scripting

Published

2023-04-10

Title

Product Catalog Feed by PixelYourSite < 2.1.1 - Reflected XSS

Published

2025-03-31

Title

WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder < 1.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2026-01-27

Title

Target Video Easy Publish < 3.8.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via placeholder_img Parameter