Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eric-Oliver Mächler DSGVO Youtube dsgvo-youtube allows DOM-Based XSS.This issue affects DSGVO Youtube: from n/a through <= 1.5.1.
Published: 2025-04-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The DSGVO Youtube plugin contains an improper neutralization flaw that allows an attacker to inject scripts into the browser context via manipulated input. This DOM-based XSS can run arbitrary JavaScript within the victim’s session, enabling data theft, session hijacking, or defacement. The weakness is identified as CWE‑79.

Affected Systems

WordPress sites that use the DSGVO Youtube plugin from any earlier releases through version 1.5.1 are affected. The plugin is authored by Eric‑Oliver Mächler. No specific operating system or WordPress core version exclusions are listed.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity vulnerability. The EPSS score is less than 1 %, implying a low probability of exploitation in the wild at this time, and the issue is not currently in the CISA KEV catalog. Attackers would likely exploit this by crafting a malicious URL or form input that the plugin fails to sanitize before rendering in the DOM; the impact is limited to the scope of the user who views the compromised page, but if the attacker can target privileged or administrative users, the damage could be more extensive.

Generated by OpenCVE AI on May 1, 2026 at 10:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest DSGVO Youtube plugin version (1.5.2 or newer) to eliminate the vulnerability.
  • If an upgrade is not immediately possible, disable any plugin features that accept user supplied data, such as custom YouTube URLs entered via the plugin’s interface, until a patch is applied.
  • Deploy a content‑security policy that blocks inline scripts and restricts executable code to approved domains.
  • Monitor the website for signs of XSS activity and review server or application logs for anomalous requests targeting the plugin’s endpoints.

Generated by OpenCVE AI on May 1, 2026 at 10:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10956 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eric-Oliver Mächler DSGVO Youtube allows DOM-Based XSS. This issue affects DSGVO Youtube: from n/a through 1.5.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eric-Oliver Mächler DSGVO Youtube allows DOM-Based XSS. This issue affects DSGVO Youtube: from n/a through 1.5.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eric-Oliver Mächler DSGVO Youtube dsgvo-youtube allows DOM-Based XSS.This issue affects DSGVO Youtube: from n/a through <= 1.5.1.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 15 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 15 Apr 2025 12:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eric-Oliver Mächler DSGVO Youtube allows DOM-Based XSS. This issue affects DSGVO Youtube: from n/a through 1.5.1.
Title WordPress DSGVO Youtube plugin <= 1.5.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:45.803Z

Reserved: 2025-02-17T11:51:47.718Z

Link: CVE-2025-26982

cve-icon Vulnrichment

Updated: 2025-04-15T14:14:51.791Z

cve-icon NVD

Status : Deferred

Published: 2025-04-15T12:15:21.267

Modified: 2026-04-23T15:26:11.137

Link: CVE-2025-26982

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T10:30:15Z

Weaknesses