Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Emarket-design YouTube Showcase allows Stored XSS.This issue affects YouTube Showcase: from n/a through 3.5.1.
Published: 2026-04-15
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: Stored Cross‑Site Scripting (XSS) that can execute arbitrary JavaScript in user browsers
Action: Patch
AI Analysis

Impact

An improper neutralization of input during web page generation in the WordPress YouTube Showcase plugin allows attackers to store malicious JavaScript that will run whenever the plugin’s content is rendered. The vulnerability is classified as a stored XSS flaw (CWE‑79). Based on the description, it is inferred that any JavaScript injected through the plugin’s input fields will be executed in the context of users visiting pages that include the plugin.

Affected Systems

All installations of the Emarket‑design WordPress YouTube Showcase plugin from the earliest release through version 3.5.1 are affected. Users should verify their installed plugin version and consider that any content stored prior to an update could contain malicious scripts.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The CVE does not specify an attack vector; however, the stored XSS nature implies that exploiting the flaw requires the attacker to submit malicious content to the plugin’s data fields, which may be accessible via the WordPress admin interface or through user‑provided input if the plugin allows it. EPSS data is unavailable, and the vulnerability is not listed in the KEV catalog, so publicly known exploits are not recorded at this time. The persistence of the injected script means the risk remains until the plugin is updated or the stored data is removed.

Generated by OpenCVE AI on April 15, 2026 at 22:19 UTC.

Remediation

Vendor Solution

Update the WordPress YouTube Showcase plugin to the latest available version (at least 3.5.2).

OpenCVE Recommended Actions

  • Update the WordPress YouTube Showcase plugin to version 3.5.2 or newer to eliminate the stored XSS flaw
  • If an immediate update is not possible, temporarily disable the plugin or delete any content that may contain injected scripts
  • Implement a Content Security Policy to restrict inline script execution and reduce the impact of any residual XSS

Generated by OpenCVE AI on April 15, 2026 at 22:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Emarket-design
Emarket-design youtube Showcase
Wordpress
Wordpress wordpress
Vendors & Products Emarket-design
Emarket-design youtube Showcase
Wordpress
Wordpress wordpress

Wed, 15 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Emarket-design YouTube Showcase allows Stored XSS.This issue affects YouTube Showcase: from n/a through 3.5.1.
Title WordPress YouTube Showcase plugin <= 3.5.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Emarket-design Youtube Showcase
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-15T17:23:39.918Z

Reserved: 2026-04-15T15:53:13.255Z

Link: CVE-2025-15636

cve-icon Vulnrichment

Updated: 2026-04-15T17:22:45.890Z

cve-icon NVD

Status : Received

Published: 2026-04-15T17:17:00.437

Modified: 2026-04-15T17:17:00.437

Link: CVE-2025-15636

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T22:30:16Z

Weaknesses