Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Tahir Ali Jan Bulk YouTube Post Creator bulk-youtube-post-creator allows Reflected XSS.This issue affects Bulk YouTube Post Creator: from n/a through <= 1.0.
Published: 2025-06-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Bulk YouTube Post Creator plugin contains an improper input validation flaw that allows attackers to inject arbitrary script code into the page output. The reflected XSS can execute when a victim clicks a specially crafted link, giving the attacker the ability to hijack sessions, deface content, or deliver malware. This is designated as CWE‑79 and is assigned a CVSS score of 7.1, indicating a high impact if exploited.

Affected Systems

Affected systems are WordPress sites that have the Syed Tahir Ali Jan Bulk YouTube Post Creator plugin version 1.0 or earlier. No specific OS or WordPress version constraints are noted, but any installation of the vulnerable plugin is at risk.

Risk and Exploitability

The exploitation requires a crafted URL to be visited by a user and thus is a user‑interaction threat. The EPSS score of less than 1% suggests that widespread exploitation is unlikely, and the vulnerability is not yet listed in CISA’s KEV. Nonetheless, WordPress users who expose the plugin’s input fields or share links are at moderate risk, especially if the site does not enforce strict content‑security policies.

Generated by OpenCVE AI on April 30, 2026 at 10:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Bulk YouTube Post Creator plugin to a version newer than 1.0 that contains the XSS fix.
  • If the plugin is no longer needed, disable or remove it from the WordPress installation.
  • Configure a content‑security policy that restricts script execution to trusted origins and apply a XSS filtering layer.

Generated by OpenCVE AI on April 30, 2026 at 10:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19322 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Tahir Ali Jan Bulk YouTube Post Creator allows Reflected XSS. This issue affects Bulk YouTube Post Creator: from n/a through 1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Tahir Ali Jan Bulk YouTube Post Creator allows Reflected XSS. This issue affects Bulk YouTube Post Creator: from n/a through 1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Tahir Ali Jan Bulk YouTube Post Creator bulk-youtube-post-creator allows Reflected XSS.This issue affects Bulk YouTube Post Creator: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 27 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Jun 2025 12:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Tahir Ali Jan Bulk YouTube Post Creator allows Reflected XSS. This issue affects Bulk YouTube Post Creator: from n/a through 1.0.
Title WordPress Bulk YouTube Post Creator plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:26:36.321Z

Reserved: 2025-06-04T15:44:22.453Z

Link: CVE-2025-49423

cve-icon Vulnrichment

Updated: 2025-06-27T13:15:15.368Z

cve-icon NVD

Status : Deferred

Published: 2025-06-27T12:15:37.950

Modified: 2026-04-23T15:31:39.453

Link: CVE-2025-49423

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T10:45:26Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')