The Show YouTube video plugin for WordPress contains a stored cross‑site scripting flaw due to insufficient sanitization of attributes supplied to its syv shortcode. When an authenticated user with contributor-level access supplies a malicious value for the shortcode’s id or similar attribute, the value is saved to the database and later rendered without proper escaping. Attackers can therefore inject arbitrary JavaScript that executes in the browser of any user who accesses a page containing the compromised shortcode, potentially enabling defacement, data theft, or malware delivery.

All installations of the Show YouTube video plugin for WordPress that use version 1.1 or earlier are vulnerable. The plugin, distributed via the WordPress plugin repository, is affected in all these versions and no later releases are known to contain the flaw.

The severity rating is moderate (CVSS 6.4). The EPSS score indicates a very low probability of exploitation (<1%), and the vulnerability is not listed in the CISA KEV catalog. The vulnerability is exploitable by an authenticated contributor, a role that is commonly granted on many WordPress sites. Based on typical WordPress role configurations, it is inferred that many sites grant contributor access, expanding the potential attack surface. Once a contributor inserts a malicious id attribute into a syv shortcode in a post or page, the plugin stores the value and later renders it without escaping, so any visitor to that page will immediately execute the injected script. This straightforward exploitation path highlights a high likelihood of compromise for sites that still run version 1.1 or earlier.