Platform
wordpress
Component
youtube-showcase
Fixed in
3.5.2
CVE-2025-15636 describes a Stored Cross-Site Scripting (XSS) vulnerability discovered in the YouTube Showcase component by Emarket-design. This flaw allows attackers to inject malicious scripts into web pages, potentially compromising user accounts and data integrity. The vulnerability impacts versions of YouTube Showcase from n/a up to and including 3.5.1. A fix is currently unavailable.
CVE-2025-15636 in YouTube Showcase, specifically affecting versions 3.5.1 and earlier, represents a Stored Cross-Site Scripting (XSS) vulnerability. This means an attacker could inject malicious code into the platform, which would then execute in the browser of other users visiting the affected page. The potential impact includes cookie theft, redirection to malicious websites, modification of webpage content, and actions performed on behalf of the affected user. The vulnerability is rated with a CVSS score of 6.5, indicating a moderate risk that requires prompt attention. The lack of a KEV (Knowledge Entry Validation) suggests limited information about this vulnerability and warrants further investigation.
The vulnerability arises from improper neutralization of user input during webpage generation within YouTube Showcase. An attacker could exploit this by injecting malicious JavaScript code through a vulnerable input field, such as a comment or video description. This malicious code would be stored in the database and executed whenever a user views the affected page. Successful exploitation requires the attacker to control the input stored in the database. Inadequate authentication on certain input fields could facilitate exploitation.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The solution to mitigate CVE-2025-15636 is to update YouTube Showcase to version 3.5.2 or higher. This update includes the necessary fixes to neutralize user input and prevent malicious code injection. Additionally, implement secure coding practices such as validating and sanitizing all user inputs before using them in webpage generation. Monitoring application logs for suspicious activity can also help detect and respond to potential attacks. Implementing a Content Security Policy (CSP) can provide an additional layer of defense by controlling the resources the browser can load.
Update to version 3.5.2, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
It's a type of attack where malicious code is stored on a server (like a database) and executed in users' browsers when they visit the page.
Check if you are using a vulnerable version of YouTube Showcase (3.5.1 or earlier). Perform penetration testing or use vulnerability scanning tools.
It's a score indicating the severity of the vulnerability. 6.5 indicates a moderate risk.
It's a validation of knowledge about the vulnerability. The absence of a KEV suggests that available information may be limited.
Implement secure coding practices, validate and sanitize user inputs, and configure a Content Security Policy (CSP).
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.