An improper neutralization of input during web page generation in the emarket‑design YouTube Showcase plugin allows attackers to store malicious JavaScript that will run whenever the plugin’s content is rendered. The vulnerability is classified as a stored XSS flaw (CWE‑79). Based on the description, it is inferred that any JavaScript injected through the plugin’s input fields will be executed in the context of users visiting pages that include the plugin.

All installations of the Emarket‑design WordPress YouTube Showcase plugin from the earliest release through version 3.5.1 are affected. Users should verify their installed plugin version and consider that any content stored prior to an update could contain malicious scripts.

The CVSS score of 6.5 indicates moderate severity. The CVE does not specify an attack vector; however, the stored XSS nature implies that exploiting the flaw requires the attacker to submit malicious content to the plugin’s data fields, which may be accessible via the WordPress admin interface or through user‑provided input if the plugin allows it. The EPSS score of < 1% indicates a very low probability that the vulnerability will be exploited, and the vulnerability is not listed in the KEV catalog, so publicly known exploits are not recorded at this time. The persistence of the injected script means the risk remains until the plugin is updated or the stored data is removed.