Cross-site Scripting in YouTube Embed Plugin by WordPress

CVE-2025-68599

What is CVE-2025-68599?

The YouTube Embed plugin for WordPress has a vulnerability that allows for Stored Cross-site Scripting (XSS) attacks due to improper neutralization of user inputs during web page generation. This affects versions of the plugin up to and including 5.4, potentially permitting attackers to inject malicious scripts into web pages viewed by users, leading to a range of security issues including data theft and session hijacking.

References