Cross-Site Scripting Vulnerability in WWBN AVideo Product
CVE-2025-36548

8.3HIGH

Key Information:

Vendor

WordPress
Status
Avideo
Vendor
CVE Published:
24 July 2025

What is CVE-2025-36548?

A cross-site scripting vulnerability in the LoginWordPress loginForm cancelUri parameter of WWBN AVideo versions 14.4 and dev master commit 8a8954ff allows attackers to exploit specially crafted HTTP requests. This could lead to the execution of arbitrary JavaScript in the context of a user's session. By tricking users into visiting a compromised webpage, an attacker could leverage this vulnerability for malicious activities.

Affected Version(s)

AVideo 14.4

AVideo dev master commit 8a8954ff

References

https://talosintelligence.com/vulnerability_reports/TALOS...

CVSS V3.1

Score:
8.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Discovered by Claudio Bozzato of Cisco Talos.
.
CVE-2025-36548 : Cross-Site Scripting Vulnerability in WWBN AVideo Product