Description
Improper Control of Generation of Code ('Code Injection') vulnerability in emarket-design YouTube Showcase youtube-showcase allows Object Injection.This issue affects YouTube Showcase: from n/a through <= 3.5.1.
Published: 2025-08-28
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress YouTube Showcase plugin suffers from PHP Object Injection that enables attackers to inject arbitrary PHP code. The flaw arises from improper validation of user‑controlled data during object deserialization, exposing the plugin to code injection. This is a CWE‑94 vulnerability that can compromise confidentiality, integrity and availability by allowing attackers to execute arbitrary code on the affected host.

Affected Systems

All installations of the YouTube Showcase plugin from emarket-design, from the earliest release through version 3.5.1, are affected. No specific operating system or PHP version restrictions are listed, so any WordPress site running a vulnerable plugin instance is at risk.

Risk and Exploitability

The CVSS score of 8.1 places the flaw in the high‑severity range, and the EPSS score of less than 1% suggests exploit attempts are rare but not impossible. The variant is not listed in the CISA KEV catalog, indicating no widespread public exploitation known at this time. Attackers could potentially trigger the injection by submitting specially crafted input to the plugin’s endpoints, likely requiring user authentication or access to the plugin’s administration interface. Successful exploitation would give the attacker full PHP execution capability on the web server.

Generated by OpenCVE AI on April 30, 2026 at 03:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the YouTube Showcase plugin to a version that removes the object injection flaw.
  • If an update is unavailable, deactivate or uninstall the plugin to eliminate the attack surface.
  • As an additional safeguard, restrict PHP execution of user‑supplied data by disabling dangerous functions (e.g., system, exec, passthru) and enforcing strict input validation on plugin endpoints.

Generated by OpenCVE AI on April 30, 2026 at 03:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25973 Improper Control of Generation of Code ('Code Injection') vulnerability in emarket-design YouTube Showcase allows Object Injection. This issue affects YouTube Showcase: from n/a through 3.5.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in emarket-design YouTube Showcase allows Object Injection. This issue affects YouTube Showcase: from n/a through 3.5.1. Improper Control of Generation of Code ('Code Injection') vulnerability in emarket-design YouTube Showcase youtube-showcase allows Object Injection.This issue affects YouTube Showcase: from n/a through <= 3.5.1.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 28 Aug 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 28 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in emarket-design YouTube Showcase allows Object Injection. This issue affects YouTube Showcase: from n/a through 3.5.1.
Title WordPress YouTube Showcase Plugin <= 3.5.1 - PHP Object Injection Vulnerability
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:36.755Z

Reserved: 2025-07-28T10:56:33.522Z

Link: CVE-2025-54731

cve-icon Vulnrichment

Updated: 2025-08-28T14:01:54.657Z

cve-icon NVD

Status : Deferred

Published: 2025-08-28T13:16:08.683

Modified: 2026-04-23T15:32:54.213

Link: CVE-2025-54731

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T03:15:26Z

Weaknesses