{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15636", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-15T15:53:13.255Z", "datePublished": "2026-04-15T15:55:51.930Z", "dateUpdated": "2026-04-28T16:10:57.676Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "youtube-showcase", "product": "YouTube Showcase", "vendor": "emarket-design", "versions": [{"changes": [{"at": "3.5.2", "status": "unaffected"}], "lessThanOrEqual": "3.5.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:24.546Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in emarket-design YouTube Showcase youtube-showcase allows Stored XSS.<p>This issue affects YouTube Showcase: from n/a through <= 3.5.1.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in emarket-design YouTube Showcase youtube-showcase allows Stored XSS.This issue affects YouTube Showcase: from n/a through <= 3.5.1."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:10:57.676Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/youtube-showcase/vulnerability/wordpress-youtube-showcase-plugin-3-5-1-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress YouTube Showcase plugin <= 3.5.1 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T17:22:40.522655Z", "id": "CVE-2025-15636", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T17:23:39.918Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15636", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T17:22:40.522655Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T17:22:45.890Z"}}], "cna": {"tags": ["x_open-source"], "title": "WordPress YouTube Showcase plugin <= 3.5.1 - Cross Site Scripting (XSS) vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Muhammad Yudha - DJ | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Emarket-design", "product": "YouTube Showcase", "versions": [{"status": "affected", "changes": [{"at": "3.5.2", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "3.5.1"}], "packageName": "youtube-showcase", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update the WordPress YouTube Showcase plugin to the latest available version (at least 3.5.2).", "supportingMedia": [{"type": "text/html", "value": "Update the WordPress YouTube Showcase plugin to the latest available version (at least 3.5.2).", "base64": false}]}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/youtube-showcase/vulnerability/wordpress-youtube-showcase-plugin-3-5-1-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Emarket-design YouTube Showcase allows Stored XSS.This issue affects YouTube Showcase: from n/a through 3.5.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Emarket-design YouTube Showcase allows Stored XSS.<p>This issue affects YouTube Showcase: from n/a through 3.5.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-15T15:55:51.930Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15636", "state": "PUBLISHED", "dateUpdated": "2026-04-15T17:23:39.918Z", "dateReserved": "2026-04-15T15:53:13.255Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-15T15:55:51.930Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in emarket-design YouTube Showcase youtube-showcase allows Stored XSS.This issue affects YouTube Showcase: from n/a through <= 3.5.1."}], "id": "CVE-2025-15636", "lastModified": "2026-04-23T15:22:54.550", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-04-15T17:17:00.437", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/youtube-showcase/vulnerability/wordpress-youtube-showcase-plugin-3-5-1-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.5.1]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[3.5.2,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "YouTube Showcase", "source": "cna", "vendor": "Emarket-design"}, "product": "youtube_showcase", "vendor": "emarket-design"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T21:34:20.635088+00:00", "value": {"mitigation_remediation": ["Update the WordPress YouTube Showcase plugin to version 3.5.2 or newer to eliminate the stored XSS flaw", "If an immediate update is not possible, temporarily disable the plugin or delete any content that may contain injected scripts", "Implement a Content Security Policy to restrict inline script execution and reduce the impact of any residual XSS"], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting (XSS) that can execute arbitrary JavaScript in user browsers"}, "threat_synthesis": {"affected_systems": "All installations of the Emarket\u2011design WordPress YouTube Showcase plugin from the earliest release through version 3.5.1 are affected. Users should verify their installed plugin version and consider that any content stored prior to an update could contain malicious scripts.", "description_and_impact": "An improper neutralization of input during web page generation in the emarket\u2011design YouTube Showcase plugin allows attackers to store malicious JavaScript that will run whenever the plugin\u2019s content is rendered. The vulnerability is classified as a stored XSS flaw (CWE\u201179). Based on the description, it is inferred that any JavaScript injected through the plugin\u2019s input fields will be executed in the context of users visiting pages that include the plugin.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity. The CVE does not specify an attack vector; however, the stored XSS nature implies that exploiting the flaw requires the attacker to submit malicious content to the plugin\u2019s data fields, which may be accessible via the WordPress admin interface or through user\u2011provided input if the plugin allows it. The EPSS score of < 1% indicates a very low probability that the vulnerability will be exploited, and the vulnerability is not listed in the KEV catalog, so publicly known exploits are not recorded at this time. The persistence of the injected script means the risk remains until the plugin is updated or the stored data is removed."}}}}, "created": "2026-04-15T20:45:06.102693+00:00", "updated": "2026-04-28T21:45:26.137430+00:00", "vendors": ["emarket-design", "emarket-design$PRODUCT$youtube_showcase", "wordpress", "wordpress$PRODUCT$wordpress"]}