CVE-2025-58915: 
WordPress vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in Emarket-design's YouTube Showcase WordPress plugin, identified as CVE-2025-58915. The vulnerability affects versions through 3.5.0 of the YouTube Showcase plugin. The issue was initially reported on April 28, 2025, and was publicly disclosed on September 22, 2025 (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It received a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires contributor-level privileges to exploit (Patchstack).

The vulnerability allows malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts are executed when guests visit the affected site, potentially compromising the security of website visitors (Patchstack).

The vulnerability has been patched in version 3.5.1 of the YouTube Showcase plugin. Users are advised to update to version 3.5.1 or later to remove the vulnerability. Patchstack users have the option to enable auto-updates for vulnerable plugins (Patchstack).