WordPress YouTube Embed, Playlist and Popup by WpDevArt Plugin <= 2.6.3 is vulnerable to Cross Site Scripting (XSS)
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
Stored XSS vulnerability in YouTube Embed, Playlist and Popup plugin for WordPress allows admin-level attackers to inject arbitrary scripts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS vulnerability in YouTube Embed, Playlist and Popup plugin for WordPress allows admin-level attackers to inject arbitrary scripts.
Vulnerability
The YouTube Embed, Playlist and Popup by WpDevArt plugin for WordPress (slug: youtube-video-player) versions up to and including 2.6.3 contain a stored cross-site scripting (XSS) vulnerability. The flaw resides in an input field that is accessible to users with administrator-level privileges (admin+). When an admin saves a crafted payload, it is stored and later rendered without proper sanitization, leading to script execution in the context of other admin users who view the affected page.
Exploitation
An attacker must first obtain an administrator account on the target WordPress site. With that access, they can navigate to the plugin's settings or content creation interface and inject a malicious JavaScript payload into a vulnerable input field (e.g., video title, description, or embed options). The payload is stored in the database and subsequently executed whenever another administrator (or the attacker themselves) loads the page that displays the stored data. No additional user interaction beyond viewing the page is required.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of any administrator who visits the affected page. This can lead to session hijacking, theft of authentication cookies, forced administrative actions (e.g., creating new admin accounts), defacement of the site, or redirection to malicious sites. The attack operates within the security context of the logged-in administrator, potentially granting full control over the WordPress installation.
Mitigation
The plugin has been closed and removed from the WordPress.org plugin directory as of May 7, 2025, due to a security issue [1]. No patched version was ever released through the official directory. Users who have the plugin installed should immediately uninstall it and replace it with an alternative solution. There is no known workaround that fully addresses the vulnerability without removing the plugin.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=2.6.3
- WPdevart/YouTube Embed, Playlist and Popup by WpDevArtv5Range: n/a
Patches
0youtube-video-playerThis plugin has been removed from the WordPress.org directory on 2025-05-07 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.