The vulnerability is a Stored Cross‑Site Scripting flaw caused by improper neutralization of input during web page generation in the Video Playlist For YouTube plugin. An attacker who can inject a malicious string into a playlist entry will have that string stored and later rendered as part of the page, allowing the attacker’s script to execute in the browsers of any visitor. This can lead to session hijacking, credential theft, defacement, or the execution of more complex client‑side attacks. The weakness is classified as CWE‑79, a classic input‑validation issue. The vulnerability could let an attacker perform a variety of attacks in the context of the logged‑in user who views the compromised page.

The flaw affects all WordPress installations that use the Galaxy Weblinks Video Playlist For YouTube plugin version 6.7.1 or earlier. Because the plugin can be installed on any WordPress site, a large number of publicly accessible websites are potentially exposed. The plugin stores playlist entries in the WordPress database and renders them on the front‑end without sanitizing user‑supplied data.

The CVSS score of 6.5 indicates a moderate severity, and the EPSS score of less than 1% suggests the probability of exploitation is currently low. The vulnerability is not included in the CISA KEV catalog. Likely attack vectors are via the public web: a user with permission to create or edit playlists can inject the payload. Once injected, the payload is served to all visitors of that playlist page, potentially escalating the attack surface.