Stored Cross-Site Scripting in YouTube Subscribe Plugin for WordPress
CVE-2025-12025

4.4MEDIUM

Key Information:

Vendor: WordPress
Status: Youtube Subscribe
Vendor: CVE Published:; 25 November 2025

What is CVE-2025-12025?

The YouTube Subscribe plugin for WordPress allows authenticated attackers with administrator-level permissions to exploit stored cross-site scripting vulnerabilities. This is due to insufficient input sanitization and output escaping within the plugin's admin settings. Attackers can inject arbitrary web scripts that execute when users access affected pages. This issue is particularly pertinent for multi-site WordPress installations or environments where unfiltered_html has been disabled, posing a significant risk to website integrity.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

YouTube Subscribe * <= 3.0.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/easy-youtube-subscribe/

https://plugins.trac.wordpress.org/browser/easy-youtube-s...

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Nov 25, 2025
Vulnerability Reserved
Oct 21, 2025

Credit

ZAST.AI

JSON

WordPress