Plateforme
wordpress
Composant
youtube-showcase
Corrigé dans
3.5.2
CVE-2025-54731 describes an Object Injection vulnerability within the YouTube Showcase WordPress plugin. This flaw allows attackers to inject malicious objects, potentially leading to unauthorized code execution and compromise of the WordPress site. The vulnerability affects versions from 0.0.0 through 3.5.1, and a patch is available in version 3.5.2.
The Object Injection vulnerability in YouTube Showcase presents a significant risk. Successful exploitation could allow an attacker to inject arbitrary objects into the application, potentially leading to remote code execution (RCE). This could enable attackers to gain complete control over the affected WordPress site, including access to sensitive data, modification of content, and installation of malware. The impact extends beyond the immediate site, potentially affecting users and any connected systems. While specific exploitation details remain limited, the potential for RCE makes this a high-priority vulnerability to address.
CVE-2025-54731 was published on 2025-08-28. As of this date, there are no publicly known proof-of-concept exploits. The vulnerability's severity is rated HIGH, indicating a potential for significant impact. It is not currently listed on the CISA KEV catalog. Active campaigns targeting this vulnerability are not currently confirmed, but the potential for exploitation warrants immediate attention.
WordPress sites utilizing the YouTube Showcase plugin, particularly those running older versions (0.0.0 – 3.5.1), are at risk. Shared hosting environments where plugin updates are managed centrally are also vulnerable. Sites with weak security configurations or limited monitoring capabilities are particularly susceptible to exploitation.
• wordpress / composer / npm:
grep -r 'emmarket-design/youtube-showcase' /var/www/html/wp-content/plugins/
wp plugin list | grep youtube-showcase• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/youtube-showcase/disclosure
Statut de l'Exploit
EPSS
0.04% (percentile 13%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-54731 is to immediately upgrade the YouTube Showcase plugin to version 3.5.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to reduce the attack surface. While a direct WAF rule is unlikely to prevent the injection, implementing strict input validation and sanitization on all user-supplied data within the plugin could offer some protection. After upgrading, verify the fix by attempting to inject a known malicious object and confirming that it is properly handled and does not result in code execution.
Actualice el plugin YouTube Showcase a la última versión disponible para mitigar la vulnerabilidad de inyección de objetos PHP. Verifique las actualizaciones disponibles en el repositorio de WordPress o en el sitio web del desarrollador. Asegúrese de realizar una copia de seguridad completa de su sitio web antes de aplicar cualquier actualización.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-54731 is a HIGH severity Object Injection vulnerability affecting YouTube Showcase WordPress plugin versions 0.0.0–3.5.1, allowing attackers to inject malicious objects.
If you are using YouTube Showcase versions 0.0.0 through 3.5.1, you are affected by this vulnerability. Check your plugin version immediately.
Upgrade the YouTube Showcase plugin to version 3.5.2 or later to resolve this vulnerability. If upgrading is not immediately possible, disable the plugin temporarily.
As of the publication date, there are no confirmed reports of active exploitation, but the potential for RCE warrants immediate action.
Refer to the emarket-design website and WordPress plugin repository for the official advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.