CVE-2025-24721 identifies a stored cross-site scripting (XSS) vulnerability in the Easy YouTube Gallery WordPress plugin developed by Aleksandar Urošević. The vulnerability is due to improper neutralization of user-supplied input during the generation of web pages, which allows attackers to inject malicious JavaScript code that is stored persistently within the application. When other users or administrators view the affected pages, the malicious script executes in their browsers under the context of the vulnerable site. This can lead to theft of session cookies, unauthorized actions performed on behalf of users, defacement, or redirection to malicious websites. The affected versions include all releases up to and including version 1.0.4. No CVSS score has been assigned yet, and no public exploits have been reported. The vulnerability does not require authentication or user interaction beyond visiting a compromised page, increasing its risk profile. The plugin is used primarily in WordPress environments to embed YouTube galleries, making websites that rely on it vulnerable to persistent XSS attacks. The lack of available patches or official fixes at the time of publication necessitates immediate attention from site administrators to mitigate risk.

The stored XSS vulnerability in Easy YouTube Gallery can have severe consequences for organizations worldwide. Attackers can exploit this flaw to execute arbitrary JavaScript in the context of the vulnerable website, potentially leading to session hijacking, theft of sensitive user information, unauthorized actions on behalf of users, and distribution of malware. For organizations, this can result in compromised user accounts, loss of customer trust, reputational damage, and potential regulatory penalties if personal data is exposed. Additionally, attackers may use the vulnerability to deface websites or redirect visitors to phishing or malicious sites, impacting availability and integrity. Since the vulnerability is stored and persistent, it can affect all users who access the compromised pages, amplifying the scope of impact. The ease of exploitation without authentication or complex prerequisites further elevates the threat level, especially for websites with high traffic or sensitive user bases.

To mitigate CVE-2025-24721, organizations should immediately assess whether their WordPress sites use the Easy YouTube Gallery plugin, specifically versions up to 1.0.4. If so, they should prioritize updating to a patched version once available from the vendor. In the absence of an official patch, administrators should consider temporarily disabling or removing the plugin to eliminate the attack vector. Implementing a Web Application Firewall (WAF) with rules to detect and block common XSS payloads can provide interim protection. Additionally, site owners should audit all user-generated content and inputs handled by the plugin to identify and sanitize any malicious scripts. Employing Content Security Policy (CSP) headers can help reduce the impact of injected scripts by restricting script execution sources. Regularly monitoring website logs and user reports for suspicious activity can aid in early detection of exploitation attempts. Finally, educating site administrators and users about the risks of XSS and safe browsing practices is recommended.