The Auto Last Youtube Video plugin implements a CSRF flaw that allows an attacker to inject a stored XSS payload into the plugin’s data store. The missing CSRF protection means a malicious request can be executed with the privileges of the authenticated user, resulting in session theft, defacement, or arbitrary code execution within the victim’s browser context.

This vulnerability affects all releases of the WordPress plugin Auto Last Youtube Video developed by David Merinas, including every version up to and including 1.0.7. Sites that have installed any of these vulnerable versions should plan to update, disable, or remove the plugin.

The CVSS score of 7.1 indicates significant potential impact when an attacker can coerce a privileged user to perform an unintended action. Based on the description, it is inferred that attackers would likely craft a malicious URL or a form submission that a logged‑in administrator would click or submit, thereby sending a forged request to the plugin. The EPSS score of < 1% suggests that exploitation is currently rare. The vulnerability is not listed in the CISA KEV catalog, which reduces the likelihood of pre‑existing active exploitation, but the exposed stored XSS could persist for all site visitors once injected.