The vulnerability is a stored cross‑site scripting flaw in the YouTube Subscribe WordPress plugin that allows administrators or users with higher privileges to insert malicious JavaScript through the plugin’s admin settings. Because the input is not properly sanitized or escaped, a compromised account can inject scripts that run automatically whenever a visitor loads a page that contains the injected data. The impact is that any user who views a page with the payload can have their browser session hijacked, cookies stolen, or malicious actions performed on behalf of the user. The weakness is classified as CWE‑79.

All releases of the mahabubs YouTube Subscribe plugin up to and including version 3.0.0 are affected. The problem exists on WordPress installations that are configured as multisite and where the unfiltered_html capability is turned off, which is a requirement for the stored data to be output unsanitized. The plugin is only vulnerable to attacks originating from accounts that have administrator rights or higher within the network.

The CVSS score of 4.4 indicates a medium severity. The EPSS score of less than 1 % suggests a low probability of publicly available exploitation. The vulnerability is not listed in the CISA KEV catalog, and there is no publicly known exploit that targets this flaw yet. The attack path requires that the attacker first gains administrative access to the WordPress installation and then uses the plugin’s settings page to inject malicious code. Because the flaw is limited to multi‑site environments with unfiltered_html disabled, the potential damage is confined to those specific deployments.