Description
The Get Youtube Subs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘channel', 'layout', and 'subs_count’ parameters in all versions up to, and including, 3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-07-24
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via the subscribe_link_att function executed with Contributor or higher access
Action: Upgrade Plugin
AI Analysis

Impact

The vulnerability allows an authenticated user with Contributor-level or higher permissions to inject arbitrary JavaScript into stored data using the ‘channel’, ‘layout’, and ‘subs_count’ parameters of the Get Youtube Subs plugin. When a user visits a page that includes this malicious content, the script runs in their browser, potentially giving the attacker access to the visitor’s session cookies, personal data, or allowing unauthorized actions. This is a classic stored XSS flaw (CWE‑79).

Affected Systems

The affected product is the WordPress plugin Get Youtube Subs, developed by zohaib167. All released versions up to and including 3.5 are vulnerable. The specific environment is a WordPress site running this plugin; no broader platform versions are mentioned.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate to high severity. The EPSS score of < 1% shows a very low current probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through authenticated access: a user logs in with Contributor or higher privileges, manipulates the plugin’s parameters to store malicious scripts, and then an unsuspecting visitor triggers the script when viewing the affected page. Because the flaw is stored, the exploit does not need to rely on additional user interaction beyond site visitation. The risk is therefore contingent on the presence of contributor privileges and the use of the vulnerable plugin on a public site.

Generated by OpenCVE AI on April 21, 2026 at 03:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Get Youtube Subs plugin to version 3.6 or later, which removes the insecure parameter handling and applies proper output escaping.
  • If an immediate upgrade is not possible, manually sanitize or delete any database entries that contain malicious scripts in the ‘channel’, ‘layout’, or ‘subs_count’ fields.
  • Consider restricting contributor and other non‑administrator roles from accessing the plugin’s settings or disabling the plugin for those roles until a patch is applied.
  • If feasible, deploy a web application firewall rule that blocks injected scripts in the affected parameters, treating them as XSS payloads.

Generated by OpenCVE AI on April 21, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-22505 The Get Youtube Subs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘channel', 'layout', and 'subs_count’ parameters in all versions up to, and including, 3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Thu, 24 Jul 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 24 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 24 Jul 2025 09:30:00 +0000

Type Values Removed Values Added
Description The Get Youtube Subs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘channel', 'layout', and 'subs_count’ parameters in all versions up to, and including, 3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Get Youtube Subs <= 3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via subscribe_link_att Function
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:54:58.807Z

Reserved: 2025-07-21T18:08:52.069Z

Link: CVE-2025-7966

cve-icon Vulnrichment

Updated: 2025-07-24T13:34:55.681Z

cve-icon NVD

Status : Deferred

Published: 2025-07-24T10:15:29.370

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7966

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T04:00:10Z

Weaknesses