CVE-2025-15636
Stored XSS in Emarket-design YouTube Showcase up to
Publication date: 2026-04-15
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| emarket-design | youtube_showcase | From 3.0.0 (inc) to 3.5.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15636 is a Cross Site Scripting (XSS) vulnerability in the WordPress YouTube Showcase Plugin versions up to and including 3.5.1.
This vulnerability allows attackers to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, which execute when visitors access the compromised site.
Exploitation requires a user with at least Contributor or Developer privileges to perform an action like clicking a malicious link, visiting a crafted page, or submitting a form.
The issue is classified under the OWASP Top 10 category A3: Injection and has a CVSS severity score of 6.5, indicating a moderate risk level.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts on your website, which can lead to unwanted redirects, display of unauthorized advertisements, or other harmful HTML payloads.
Such attacks can compromise the integrity and trustworthiness of your site, potentially harming your users and damaging your reputation.
Although considered a moderate risk, it is commonly used in mass-exploit campaigns targeting many websites indiscriminately.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the WordPress YouTube Showcase Plugin version 3.5.1 or earlier is installed and active on your system.
Since this is a Stored Cross-Site Scripting (XSS) vulnerability, monitoring for unusual or unexpected script injections in web pages generated by the plugin can help detect exploitation.
You can check the plugin version using WordPress CLI commands such as:
- wp plugin list --status=active
- wp plugin get youtube-showcase --field=version
Additionally, inspecting HTTP responses for injected scripts or unexpected HTML payloads in pages generated by the plugin may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the WordPress YouTube Showcase Plugin to version 3.5.2 or later, where the vulnerability is resolved.
If immediate updating is not possible, consider disabling the plugin temporarily to prevent exploitation.
Implementing auto-updates for vulnerable plugins can also help mitigate risks by ensuring timely patching.
Additionally, restrict user privileges to prevent untrusted users from performing actions that could trigger the vulnerability, as exploitation requires at least Contributor or Developer privileges.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the Cross Site Scripting (XSS) vulnerability in the YouTube Showcase plugin directly affects compliance with common standards and regulations such as GDPR or HIPAA.