Description
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Frank Goossens WP YouTube Lyte wp-youtube-lyte allows Phishing.This issue affects WP YouTube Lyte: from n/a through <= 1.7.28.
Published: 2025-11-21
Score: 3.4 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The plugin allows an attacker to redirect visitors to an untrusted web address. This open redirect flaw can be exploited to facilitate phishing or other malicious campaigns by luring site users to deceptive or malware‑laden destinations. The weakness is categorized as CWE‑601 – URL Redirection to Untrusted Site.

Affected Systems

The vulnerability applies to the WordPress WP YouTube Lyte plugin by Frank Goossens, for all releases up to and including version 1.7.28. Websites that host the plugin in these versions are at risk.

Risk and Exploitability

With a CVSS score of 3.4 the severity is considered low. The EPSS score of less than 1 % indicates a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the attack vector is likely via the web, where a malicious actor can manipulate a redirect parameter in the plugin’s output or administrative interface, leading unsuspecting users to malicious URLs.

Generated by OpenCVE AI on April 29, 2026 at 23:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP YouTube Lyte to a version newer than 1.7.28
  • If upgrade cannot be performed immediately, disable or restrict the plugin’s redirect functionality by reviewing its settings to avoid untrusted URLs
  • Keep the WordPress core and other plugins up‑to‑date and monitor the vendor’s website for further security advisories

Generated by OpenCVE AI on April 29, 2026 at 23:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

 cvssV3_1

{'score': 3.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 21 Nov 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 21 Nov 2025 12:45:00 +0000

Type Values Removed Values Added
Description URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Frank Goossens WP YouTube Lyte wp-youtube-lyte allows Phishing.This issue affects WP YouTube Lyte: from n/a through <= 1.7.28.
Title WordPress WP YouTube Lyte plugin <= 1.7.28 - Open Redirection vulnerability
Weaknesses CWE-601
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:15.519Z

Reserved: 2025-11-21T11:20:39.726Z

Link: CVE-2025-66062

cve-icon Vulnrichment

Updated: 2025-11-21T16:29:09.646Z

cve-icon NVD

Status : Deferred

Published: 2025-11-21T13:15:47.050

Modified: 2026-04-27T18:16:32.137

Link: CVE-2025-66062

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T23:15:23Z

Weaknesses