{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7966", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-21T18:08:52.069Z", "datePublished": "2025-07-24T09:22:16.991Z", "dateUpdated": "2026-04-08T16:54:58.807Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:54:58.807Z"}, "affected": [{"vendor": "zohaib167", "product": "Get Youtube Subs", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Get Youtube Subs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018channel', 'layout', and 'subs_count\u2019 parameters in all versions up to, and including, 3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Get Youtube Subs <= 3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via subscribe_link_att Function", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a25728c-3d98-414b-bad0-2c05eb1f4ca2?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/get-youtube-subs/trunk/includes/youtubesubs-class.php#L142"}, {"url": "https://wordpress.org/plugins/get-youtube-subs/#developers"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "timeline": [{"time": "2025-07-23T20:40:25.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-24T13:08:24.619676Z", "id": "CVE-2025-7966", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-24T13:36:12.507Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7966", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-24T13:08:24.619676Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-24T13:34:55.681Z"}}], "cna": {"title": "Get Youtube Subs <= 3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via subscribe_link_att Function", "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "zohaib167", "product": "Get Youtube Subs", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-23T20:40:25.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a25728c-3d98-414b-bad0-2c05eb1f4ca2?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/get-youtube-subs/trunk/includes/youtubesubs-class.php#L142"}, {"url": "https://wordpress.org/plugins/get-youtube-subs/#developers"}], "descriptions": [{"lang": "en", "value": "The Get Youtube Subs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018channel', 'layout', and 'subs_count\u2019 parameters in all versions up to, and including, 3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:54:58.807Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7966", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:54:58.807Z", "dateReserved": "2025-07-21T18:08:52.069Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-24T09:22:16.991Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Get Youtube Subs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018channel', 'layout', and 'subs_count\u2019 parameters in all versions up to, and including, 3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Get YouTube Subs para WordPress es vulnerable a Cross-Site Scripting almacenado a trav\u00e9s de los par\u00e1metros \"channel\", \"layout\" y \"subs_count\" en todas las versiones hasta la 3.5 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en las p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-7966", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-24T10:15:29.370", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/get-youtube-subs/trunk/includes/youtubesubs-class.php#L142"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/get-youtube-subs/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a25728c-3d98-414b-bad0-2c05eb1f4ca2?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T03:51:26.558528+00:00", "value": {"mitigation_remediation": ["Upgrade the Get Youtube Subs plugin to version 3.6 or later, which removes the insecure parameter handling and applies proper output escaping.", "If an immediate upgrade is not possible, manually sanitize or delete any database entries that contain malicious scripts in the \u2018channel\u2019, \u2018layout\u2019, or \u2018subs_count\u2019 fields.", "Consider restricting contributor and other non\u2011administrator roles from accessing the plugin\u2019s settings or disabling the plugin for those roles until a patch is applied.", "If feasible, deploy a web application firewall rule that blocks injected scripts in the affected parameters, treating them as XSS payloads."], "summary": {"action": "Upgrade Plugin", "impact": "Stored Cross\u2011Site Scripting via the subscribe_link_att function executed with Contributor or higher access"}, "threat_synthesis": {"affected_systems": "The affected product is the WordPress plugin Get Youtube Subs, developed by zohaib167. All released versions up to and including 3.5 are vulnerable. The specific environment is a WordPress site running this plugin; no broader platform versions are mentioned.", "description_and_impact": "The vulnerability allows an authenticated user with Contributor-level or higher permissions to inject arbitrary JavaScript into stored data using the \u2018channel\u2019, \u2018layout\u2019, and \u2018subs_count\u2019 parameters of the Get Youtube Subs plugin. When a user visits a page that includes this malicious content, the script runs in their browser, potentially giving the attacker access to the visitor\u2019s session cookies, personal data, or allowing unauthorized actions. This is a classic stored XSS flaw (CWE\u201179).", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate to high severity. The EPSS score of <\u202f1% shows a very low current probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through authenticated access: a user logs in with Contributor or higher privileges, manipulates the plugin\u2019s parameters to store malicious scripts, and then an unsuspecting visitor triggers the script when viewing the affected page. Because the flaw is stored, the exploit does not need to rely on additional user interaction beyond site visitation. The risk is therefore contingent on the presence of contributor privileges and the use of the vulnerable plugin on a public site."}}}}, "created": "2025-07-24T21:26:40.988841+00:00", "updated": "2026-04-21T04:00:10.058266+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}