CVE-2025-54731: 
WordPress vulnerability analysis and mitigation

CVE-2025-54731 is a PHP Object Injection vulnerability affecting the WordPress YouTube Showcase plugin versions through 3.5.1. The vulnerability was discovered by Martino Spagnuolo (r3verii) and was publicly disclosed on August 25, 2025. This security issue affects the emarket-design YouTube Showcase plugin and allows Object Injection without requiring authentication (Patchstack).

The vulnerability is classified as a PHP Object Injection flaw with a CVSS v3.1 base score of 8.1 (High), with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue falls under the OWASP Top 10 category A3: Injection. The vulnerability requires no authentication to exploit, making it particularly dangerous (Patchstack).

This vulnerability could allow a malicious actor to execute code injection, SQL injection, path traversal, and denial of service attacks if a proper POP chain is present. The high CVSS score of 8.1 indicates that this vulnerability is highly dangerous and expected to become mass exploited (Patchstack).

Users are advised to update to version 3.5.2 or later to remove the vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until users have updated to a fixed version (Patchstack).