Description
The WP YouTube Lyte plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'lyte' shortcode in all versions up to, and including, 1.7.29 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-16
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

The WP YouTube Lyte plugin, a WordPress extension used to embed YouTube videos more efficiently, contains an insufficiently sanitized user input handling for the 'lyte' shortcode, which allows a contributor‑level user to inject arbitrary JavaScript into posts or pages. This stored cross‑site scripting flaw is cataloged as CWE‑79 and can compromise the confidentiality, integrity, and availability of the site by executing malicious scripts in the context of any visitor who loads a page containing the maliciously crafted shortcode.

Affected Systems

The vulnerability affects any installation of the WP YouTube Lyte plugin version 1.7.29 or earlier. All users of the plugin on WordPress sites should verify the installed version and consider upgrading to the next release.

Risk and Exploitability

With a CVSS score of 6.4, the flaw is considered moderate severity. Since the EPSS score is not available and the issue is not listed in the CISA KEV catalog, the likelihood of exploitation appears low at the moment, but the vulnerability requires authenticated access at the contributor level, which many sites grant to regular content authors. Attackers can exploit the flaw by adding or editing shortcodes after gaining contributor rights, and the injected code will run when any site visitor views the affected page.

Generated by OpenCVE AI on April 16, 2026 at 02:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP YouTube Lyte plugin to the latest release that resolves the shortcode sanitization issue.
  • Inspect existing posts, pages, and custom content for occurrences of the lyte shortcode with suspicious attributes and either sanitize or delete the malicious entries before publishing.
  • If an immediate upgrade is not possible, restrict contributor‑level users from editing content that includes the lyte shortcode, or use a security plugin to block shortcode usage for certain user roles.

Generated by OpenCVE AI on April 16, 2026 at 02:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Futtta
Futtta wp Youtube Lyte
Wordpress
Wordpress wordpress
Vendors & Products Futtta
Futtta wp Youtube Lyte
Wordpress
Wordpress wordpress

Thu, 16 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
Description The WP YouTube Lyte plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'lyte' shortcode in all versions up to, and including, 1.7.29 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WP YouTube Lyte <= 1.7.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via lyte Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Futtta Wp Youtube Lyte
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-16T13:42:32.504Z

Reserved: 2026-02-26T20:16:06.090Z

Link: CVE-2026-3299

cve-icon Vulnrichment

Updated: 2026-04-16T13:29:58.794Z

cve-icon NVD

Status : Received

Published: 2026-04-16T02:16:11.533

Modified: 2026-04-16T02:16:11.533

Link: CVE-2026-3299

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:12:02Z

Weaknesses