CVE-2025-7966

The Get Youtube Subs plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 3.5. The vulnerability stems from insufficient input sanitization and output escaping on the 'channel', 'layout', and 'subs_count' parameters, allowing attackers to inject arbitrary HTML and JavaScript [1].

Exploitation requires an authenticated attacker with at least Contributor-level access. The attacker can inject malicious scripts via the plugin's settings or widget configuration, and the payload will execute whenever a user accesses the affected page [1].

Successful exploitation enables arbitrary web script execution in the context of the victim's browser, potentially leading to session hijacking, data theft, or website defacement [1].

As of July 22, 2025, the plugin has been closed on WordPress.org due to this security issue, and no patched version is available [1]. Users are advised to remove the plugin from their installations.