{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12025", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-21T14:56:43.578Z", "datePublished": "2025-11-25T07:28:23.149Z", "dateUpdated": "2026-04-08T17:10:56.419Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:10:56.419Z"}, "affected": [{"vendor": "mahabubs", "product": "YouTube Subscribe", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The YouTube Subscribe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "YouTube Subscribe <= 3.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting via Title and Channel ID", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9996cdc7-4d97-4b27-b697-09bbdbcd865d?source=cve"}, {"url": "https://wordpress.org/plugins/easy-youtube-subscribe/"}, {"url": "https://plugins.trac.wordpress.org/browser/easy-youtube-subscribe/tags/3.0.0/includes/sm-youtube-subscription-shortcode.php#L242"}, {"url": "https://plugins.trac.wordpress.org/browser/easy-youtube-subscribe/tags/3.0.0/includes/sm-youtube-subscription-shortcode.php#L246"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "ZAST.AI"}], "timeline": [{"time": "2025-11-24T19:13:57.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-25T14:55:06.827389Z", "id": "CVE-2025-12025", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-25T14:55:14.223Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12025", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-25T14:55:06.827389Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-25T14:55:10.915Z"}}], "cna": {"title": "YouTube Subscribe <= 3.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting via Title and Channel ID", "credits": [{"lang": "en", "type": "finder", "value": "ZAST.AI"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "mahabubs", "product": "YouTube Subscribe", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-24T19:13:57.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9996cdc7-4d97-4b27-b697-09bbdbcd865d?source=cve"}, {"url": "https://wordpress.org/plugins/easy-youtube-subscribe/"}, {"url": "https://plugins.trac.wordpress.org/browser/easy-youtube-subscribe/tags/3.0.0/includes/sm-youtube-subscription-shortcode.php#L242"}, {"url": "https://plugins.trac.wordpress.org/browser/easy-youtube-subscribe/tags/3.0.0/includes/sm-youtube-subscription-shortcode.php#L246"}], "descriptions": [{"lang": "en", "value": "The YouTube Subscribe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:10:56.419Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12025", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:10:56.419Z", "dateReserved": "2025-10-21T14:56:43.578Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-25T07:28:23.149Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The YouTube Subscribe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "id": "CVE-2025-12025", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-25T08:15:47.507", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/easy-youtube-subscribe/tags/3.0.0/includes/sm-youtube-subscription-shortcode.php#L242"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/easy-youtube-subscribe/tags/3.0.0/includes/sm-youtube-subscription-shortcode.php#L246"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/easy-youtube-subscribe/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9996cdc7-4d97-4b27-b697-09bbdbcd865d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T12:18:55.875869+00:00", "value": {"mitigation_remediation": ["Upgrade the YouTube Subscribe plugin to the latest version (\u2265\u202f3.0.1) which removes the vulnerable parameter handling.", "Disable or remove the plugin from the multisite network if an upgrade cannot be performed immediately.", "Audit administrator accounts for signs of compromise and consider restricting or rotating credentials, since the flaw requires admin\u2011level access."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All releases of the mahabubs YouTube Subscribe plugin up to and including version 3.0.0 are affected. The problem exists on WordPress installations that are configured as multisite and where the unfiltered_html capability is turned off, which is a requirement for the stored data to be output unsanitized. The plugin is only vulnerable to attacks originating from accounts that have administrator rights or higher within the network.", "description_and_impact": "The vulnerability is a stored cross\u2011site scripting flaw in the YouTube Subscribe WordPress plugin that allows administrators or users with higher privileges to insert malicious JavaScript through the plugin\u2019s admin settings. Because the input is not properly sanitized or escaped, a compromised account can inject scripts that run automatically whenever a visitor loads a page that contains the injected data. The impact is that any user who views a page with the payload can have their browser session hijacked, cookies stolen, or malicious actions performed on behalf of the user. The weakness is classified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 4.4 indicates a medium severity. The EPSS score of less than 1\u202f% suggests a low probability of publicly available exploitation. The vulnerability is not listed in the CISA KEV catalog, and there is no publicly known exploit that targets this flaw yet. The attack path requires that the attacker first gains administrative access to the WordPress installation and then uses the plugin\u2019s settings page to inject malicious code. Because the flaw is limited to multi\u2011site environments with unfiltered_html disabled, the potential damage is confined to those specific deployments."}}}}, "created": "2025-11-26T11:11:00.512019+00:00", "updated": "2026-04-22T12:30:16.828879+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}