CVE-2025-7811: 
WordPress vulnerability analysis and mitigation

The StreamWeasels YouTube Integration plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-7811) discovered on July 28, 2025. The vulnerability affects all versions up to and including 1.4.0. The issue was identified by security researcher Gai Tanaka and reported through Wordfence's vulnerability tracking system (NVD CVE, Wordfence Intel).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes, specifically in the plugin's 'data-uuid' attribute. The issue has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD CVE).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to unauthorized data access or manipulation of user interactions (NVD CVE).

Users should update their StreamWeasels YouTube Integration plugin to a version newer than 1.4.0 once available. Until then, it is recommended to restrict contributor access and carefully monitor user permissions (NVD CVE).