Scan free
MEDIUMCVE-2025-15636CVSS 6.5

CVE-2025-15636: YouTube Showcase Stored XSS – Versions < 3.5.1

Platform

wordpress

Component

youtube-showcase

Fixed in

3.5.2

AI Confidence: highNVDEPSS 0.0%Reviewed: Apr 2026
View on NVD
Save

CVE-2025-15636 describes a Stored Cross-Site Scripting (XSS) vulnerability discovered in the YouTube Showcase component by Emarket-design. This flaw allows attackers to inject malicious scripts into web pages, potentially compromising user accounts and data integrity. The vulnerability impacts versions of YouTube Showcase from n/a up to and including 3.5.1. A fix is currently unavailable.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

CVE-2025-15636 in YouTube Showcase, specifically affecting versions 3.5.1 and earlier, represents a Stored Cross-Site Scripting (XSS) vulnerability. This means an attacker could inject malicious code into the platform, which would then execute in the browser of other users visiting the affected page. The potential impact includes cookie theft, redirection to malicious websites, modification of webpage content, and actions performed on behalf of the affected user. The vulnerability is rated with a CVSS score of 6.5, indicating a moderate risk that requires prompt attention. The lack of a KEV (Knowledge Entry Validation) suggests limited information about this vulnerability and warrants further investigation.

Exploitation Context

The vulnerability arises from improper neutralization of user input during webpage generation within YouTube Showcase. An attacker could exploit this by injecting malicious JavaScript code through a vulnerable input field, such as a comment or video description. This malicious code would be stored in the database and executed whenever a user views the affected page. Successful exploitation requires the attacker to control the input stored in the database. Inadequate authentication on certain input fields could facilitate exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.03% (10% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L6.5MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentyoutube-showcase
Vendorwordfence
Affected rangeFixed in
0.0.0 – 3.5.13.5.2

Package Information

Active installs
2KKnown
Plugin rating
4.9
Requires WordPress
5.8+
Compatible up to
6.9.4
Homepage

Weakness Classification (CWE)

CWE-79

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The solution to mitigate CVE-2025-15636 is to update YouTube Showcase to version 3.5.2 or higher. This update includes the necessary fixes to neutralize user input and prevent malicious code injection. Additionally, implement secure coding practices such as validating and sanitizing all user inputs before using them in webpage generation. Monitoring application logs for suspicious activity can also help detect and respond to potential attacks. Implementing a Content Security Policy (CSP) can provide an additional layer of defense by controlling the resources the browser can load.

How to fix

Update to version 3.5.2, or a newer patched version

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-15636 — Cross-Site Scripting (XSS) in YouTube Showcase?

It's a type of attack where malicious code is stored on a server (like a database) and executed in users' browsers when they visit the page.

Am I affected by CVE-2025-15636 in YouTube Showcase?

Check if you are using a vulnerable version of YouTube Showcase (3.5.1 or earlier). Perform penetration testing or use vulnerability scanning tools.

How do I fix CVE-2025-15636 in YouTube Showcase?

It's a score indicating the severity of the vulnerability. 6.5 indicates a moderate risk.

Is CVE-2025-15636 being actively exploited?

It's a validation of knowledge about the vulnerability. The absence of a KEV suggests that available information may be limited.

Where can I find the official YouTube Showcase advisory for CVE-2025-15636?

Implement secure coding practices, validate and sanitize user inputs, and configure a Content Security Policy (CSP).

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs