Cross Site Scripting with >=1.16.0

Submitted by HhenryTAC on Wed, 10/29/2025 - 19:27
Forums: 
Installation and server related problems

Are you going to be updating and correcting the XSS problem in the plugin? I've just lost a ton of h5ps because of this major security issue.

Thanks!

Holly

Attachments: 
Image icon Screenshot 2025-10-29 at 10.03.26 AM.png
Summary: 
Major security issue

eligo

Sat, 11/01/2025 - 23:55

HhenryTAC, thank you for your post! I am also concerned about this issue! Would appreciate so much, if someone could comment this.

otacke's picture

otacke

Sun, 11/02/2025 - 16:07

I just don't want to leave this uncommented.

This post is linked to https://wordpress.org/support/topic/h5p-plugin-1-16-0-is-vulnerable-to-cross-site/ where Frode (employee of H5P Group) already answered. So, what's the news here?

On October 13, 2025 someone named "Muhammed Yudha" published a report of an alleged security issue on patchstack (and marked it as low priority by the way, not as a "major security issue" like the original poster here claims). Patchstack released this report on October 15, 2025. You will also find a corresponsing CVE record that was published on October 27, 2025. There's also report on Wordfence, and there will be more sites, because those security service providers "copy and paste" from one another. They are not independent sources, so the number of pages listing this issues is not an indicator for validity of the claim.

These reports claim that there was a Cross Site Scripting (XSS) vulnerability in the H5P plugin for WordPress. It is supposed to be possible for users who are logged into the admin interface and have conributer-level access to input JavaScript that then would execute in H5P content. Let's assume that this claim is legit. Then let's note two things:

  1. Your site is not magically vulnerable to XSS attacks from arbitrary people who visit your site or server - and that's why it's not a high security issue.
  2. WordPress users with contributor level clearance could as well add JavaScript to the WordPress post that H5P content is included in, so this would be a general WordPress issue not limited to H5P.

But, so far, we only know of that claim. There's no proof. According to Frode, H5P Group has not received any information from Muhammed regarding this issue. The normal process would be to reach out to the maintainer of a software, share details about  the vulnerability, and give the maintainer some time to create and release a patch. Users would then have some time to install an update. Only then would details about the vulnerability be made public - to give credit to the security researcher while not threatening users systems.

We cannot rule out that there is such an issue (and I'd not think it's a bogus claim), but so far, it seems that nobody can verify this. It seems that neither H5P Group received information on how to reproduce this nor has a proof of concept been published publicly. I hope that they will actively reach out to Patchstack to learn more - I think they can by following the "Claim ownership" button in the expanded details on the Patchstack report.

Given that the alleged issue is of a low risk, I'd grab my towel and not panic.

 

otacke's picture

otacke

Sun, 11/02/2025 - 16:09

Hey, HhenryTAC!

I cannot bring the screenshot you posted in connection with the report on Patchstack. How are those two supposed to be linked?

Best,
Oliver

HhenryTAC

Mon, 11/03/2025 - 17:17

Hey Oliver,

In talking to Wordfence, you're absolutely right and they did do a copy/paste from Patchstack about this issue. There was a CVE listed, CVE-2025-62951, and the CVSS was a 6.4. We are a financial education higher ed, and although we have NO banking or financial information that would be of use to anyone, we get lots of wanna-bes out there trying to get in and have some "fun". So, we are hyper-aware when anything comes in that says "Houston, there's a problem."

I don't use Patchstack. I do use Wordfence, and since Wordfence was also listing it and it showed Muhammed as the researcher, I reached out to Wordfence thinking that he might be one of their researchers. From what I can see, however, no one seems to be able to validate this report. 

I didn't appreciate Patchstack stating that this software might be abandoned when, in fact, that is not the case. All the reports, which came from Patchstack/Muhammed, said it'd be best to remove the software and find something else. I've used H5P for a long time at all my employers and with my own sites, and have never had a problem. I have a lot of effort invested in it and it will continue to use it.

I'm hoping this answers your question. If it doesn't, let me know.

Thanks,

Holly

otacke's picture

otacke

Mon, 11/03/2025 - 18:29

Hey, Holly!

There's absolutely no need for you to justify yourself! Security issues should be taken seriously, no doubt. If there's really something (a low risk) lurking somewhere, we'll hopefully learn soon.

I just wonder how you linked that message about "publicly accessible config, backup, ..." shown on your screenshot to the H5P plugin. It does not mention H5P at all. It just tells you that there's a debug.log file inside the wp-content folder which is publicly available.

Best,
Oliver

HhenryTAC

Mon, 11/03/2025 - 17:30

Oliver....

LOL...wrong screenshot! NOT helpful, nor is it relevant. Here is the real screenshot.

Attachments: 
Image icon Screenshot 2025-11-03 at 10.29.35 AM.png
otacke's picture

otacke

Mon, 11/03/2025 - 18:36

Aaah, didn't see that reply before answering to the other comment ...

That message in fact sounds alarming despite the threat not being high. Do you get these from WordFence regardless of the severerty of the reported issue? Suggesting to completely remove a plugin unconditionally feels quite radical. It's some sore of a "solution" for sure, but in the case of H5P that should lead to a total loss of content if I am not mistaken - hope you follow a good backup strategy.

HhenryTAC

Mon, 11/03/2025 - 19:08

Yeah, my bad. I sent the wrong screenshot. D'oh!

Yes, I get anything Wordfence sends out. I checked Patchstack which is where I saw the message that H5P may have been abandoned. I think that's totally irresponsible...but just my two cents!  

Yeah, when you remove H5P it removes all your files. I do have a great backup system, which is, of course, all important. 

Thanks, all! I appreciate the deep dive by everyone and @icc0rz in trying to figure out what's going on. I don't want to be at risk, but I also don't want to lose this software!

Holly

otacke's picture

otacke

Thu, 11/06/2025 - 15:19

According to https://github.com/h5p/h5p-wordpress-plugin/pull/200 H5P Group seems to have fixed an issue related to XSS in the WordPress plugin. I cannot tell, however, whether that's all that needs to be done. I'd assume that they will also check the rest of the code for similar issues.

Just to confirm what I stated before: This vulnerability bug that was just fixed indeed required a contributor of the page to be logged in and to actively inject malicious code, so this is not a high risk scenario (unless you host a site where people that you don't know and/or don't trust are contributors.

HhenryTAC

Thu, 11/06/2025 - 16:24

@icc0rz, @otacke, and Team,

Thank you all for your responses on this "non-issue issue." It's been great talking this one out! I appreciate your patience and due diligence. You all have been great!

Thanks soooo much!

eligo

Mon, 11/10/2025 - 01:48

icc0rz, Oliver, Holly and Team, 

Thank you so much for this discussion, for explaining the situation. I think I speak for everyone who uses H5P, that we are extremely grateful for your support and the enormous work and energy you put into creating and maintaining such a wonderful and valuable tool. Thank you very much!

Elina

otacke's picture

otacke

Mon, 11/10/2025 - 17:30

An update of the H5P plugin for WordPress that fixes the issue has been released today.