Platform
wordpress
Component
youtube-showcase
Fixed in
3.5.2
CVE-2025-54731 describes an Object Injection vulnerability within the YouTube Showcase WordPress plugin. This flaw allows attackers to inject malicious objects, potentially leading to unauthorized code execution and compromise of the WordPress site. The vulnerability affects versions from 0.0.0 through 3.5.1, and a patch is available in version 3.5.2.
The Object Injection vulnerability in YouTube Showcase presents a significant risk. Successful exploitation could allow an attacker to inject arbitrary objects into the application, potentially leading to remote code execution (RCE). This could enable attackers to gain complete control over the affected WordPress site, including access to sensitive data, modification of content, and installation of malware. The impact extends beyond the immediate site, potentially affecting users and any connected systems. While specific exploitation details remain limited, the potential for RCE makes this a high-priority vulnerability to address.
CVE-2025-54731 was published on 2025-08-28. As of this date, there are no publicly known proof-of-concept exploits. The vulnerability's severity is rated HIGH, indicating a potential for significant impact. It is not currently listed on the CISA KEV catalog. Active campaigns targeting this vulnerability are not currently confirmed, but the potential for exploitation warrants immediate attention.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-54731 is to immediately upgrade the YouTube Showcase plugin to version 3.5.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to reduce the attack surface. While a direct WAF rule is unlikely to prevent the injection, implementing strict input validation and sanitization on all user-supplied data within the plugin could offer some protection. After upgrading, verify the fix by attempting to inject a known malicious object and confirming that it is properly handled and does not result in code execution.
Update the YouTube Showcase plugin to the latest available version to mitigate the PHP Object Injection vulnerability. Check for updates in the WordPress repository or on the developer's website. Ensure you perform a full backup of your website before applying any updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-54731 is a HIGH severity Object Injection vulnerability affecting YouTube Showcase WordPress plugin versions 0.0.0–3.5.1, allowing attackers to inject malicious objects.
If you are using YouTube Showcase versions 0.0.0 through 3.5.1, you are affected by this vulnerability. Check your plugin version immediately.
Upgrade the YouTube Showcase plugin to version 3.5.2 or later to resolve this vulnerability. If upgrading is not immediately possible, disable the plugin temporarily.
As of the publication date, there are no confirmed reports of active exploitation, but the potential for RCE warrants immediate action.
Refer to the emarket-design website and WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.