Stored Cross-Site Scripting in StreamWeasels YouTube Integration by WordPress
CVE-2025-7811

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Streamweasels Youtube Integration
Vendor: CVE Published:; 29 July 2025

What is CVE-2025-7811?

The StreamWeasels YouTube Integration plugin for WordPress is susceptible to Stored Cross-Site Scripting (XSS) attacks due to inadequate input sanitization and output escaping on user-supplied attributes, specifically the 'data-uuid' attribute. This vulnerability affects all versions up to and including 1.4.0 and allows authenticated users with contributor-level access and above to inject malicious scripts into the web pages, leading to potential exploitation whenever a user accesses the compromised content.

Affected Version(s)

StreamWeasels YouTube Integration * <= 1.4.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/streamweasels-...

https://plugins.trac.wordpress.org/changeset/3335284#file11

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 29, 2025
Vulnerability Reserved
Jul 18, 2025

Credit

Gai Tanaka