CVE-2025-4217 identifies a stored cross-site scripting vulnerability in the WP YouTube Video Optimizer plugin for WordPress, specifically in versions up to and including 1.2. The vulnerability stems from insufficient input sanitization and output escaping of user-supplied attributes within the plugin's 'ib_youtube' shortcode. Authenticated users with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts via the shortcode parameters. Because the malicious script is stored persistently in the WordPress database, it executes every time any user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability does not require user interaction beyond visiting the infected page and can affect all users who view the content. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required (low), no user interaction, and impacts on confidentiality and integrity but not availability. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability is classified under CWE-79, which relates to improper neutralization of input during web page generation, a common vector for XSS attacks in web applications and plugins. The plugin is developed by measuremarketing and is used to optimize YouTube video embedding in WordPress sites, a popular CMS platform globally.

This vulnerability allows authenticated contributors or higher to inject persistent malicious scripts into WordPress pages, which execute in the context of any user viewing the page. The impact includes potential session hijacking, theft of authentication cookies, unauthorized actions performed with victim user privileges, defacement, and distribution of malware. Since WordPress powers a significant portion of websites worldwide, exploitation could lead to widespread compromise of site visitors and administrators. The attack does not affect availability but compromises confidentiality and integrity of user data and site content. Organizations relying on this plugin risk reputational damage, data breaches, and loss of user trust if exploited. The medium CVSS score reflects that while exploitation requires some privileges, the attack complexity is low and can have significant consequences if successful.

1. Immediately restrict contributor-level and higher user privileges to trusted personnel only until a patch is available. 2. Monitor and audit all content created or edited using the 'ib_youtube' shortcode for suspicious or unexpected script tags or JavaScript code. 3. Implement manual input validation and sanitization for shortcode attributes if possible, using WordPress security functions like wp_kses or esc_attr before saving or rendering content. 4. Disable or remove the WP YouTube Video Optimizer plugin if it is not essential or if a patch is not forthcoming. 5. Keep WordPress core and all plugins updated regularly and subscribe to security advisories from the plugin vendor and WordPress security teams. 6. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS attacks. 7. Educate site administrators and contributors about the risks of injecting untrusted content and the importance of secure content management practices.