YouTube Video Inserter <= 1.2.1.0 Reflected Cross-Site Scripting
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
YouTube Video Inserter plugin <=1.2.1.0 has reflected XSS via $_SERVER['PHP_SELF'] in adminUI/settings.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
YouTube Video Inserter plugin <=1.2.1.0 has reflected XSS via $_SERVER['PHP_SELF'] in adminUI/settings.php.
Vulnerability
The YouTube Video Inserter WordPress plugin versions up to and including 1.2.1.0 contain a reflected cross-site scripting vulnerability in the ~/adminUI/settings.php file. The $_SERVER["PHP_SELF"] value is echoed without proper sanitization, allowing attackers to inject arbitrary web scripts via a crafted URL. [1]
Exploitation
An attacker can exploit this by crafting a URL that manipulates the $_SERVER["PHP_SELF"] parameter to include malicious JavaScript. The victim, typically an administrator, must be logged in and visit the crafted URL. No additional authentication or privileges are required for the attacker. [1]
Impact
Successful exploitation allows an attacker to inject arbitrary JavaScript into the admin panel. This can lead to session hijacking, defacement, or other malicious actions within the context of the victim's browser session. [1]
Mitigation
The plugin has been closed and removed from the WordPress.org repository as of September 7, 2021, due to a security issue. No patched version is available. Users should uninstall the plugin immediately to eliminate the vulnerability. If immediate removal is not possible, consider disabling the plugin or implementing a Web Application Firewall (WAF) rule to block malicious requests. [1]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.2.1.0
- YouTube Video Inserter/YouTube Video Inserterv5Range: 1.2.1.0
Patches
0youtube-video-inserterThis plugin has been removed from the WordPress.org directory on 2021-09-07 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- plugins.trac.wordpress.org/browser/youtube-video-inserter/trunk/adminUI/settings.phpmitrex_refsource_MISC
- www.wordfence.com/vulnerability-advisories/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.