The Get Youtube Subs plugin for WordPress, developed by zohaib167, suffers from a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-7966. This vulnerability arises due to improper neutralization of input during web page generation (CWE-79), specifically in the handling of the 'channel', 'layout', and 'subs_count' parameters. All versions up to and including 3.5 are affected. The root cause is insufficient input sanitization and output escaping, allowing authenticated users with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes whenever any user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting network exploitability with low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches have been officially released at the time of publication, and no known exploits are reported in the wild. The vulnerability was reserved and published in July 2025 by Wordfence. Given the plugin’s usage in WordPress environments, this vulnerability poses a significant risk to websites that rely on it for YouTube subscriber display functionality.

This vulnerability can lead to significant security risks for organizations running WordPress sites with the Get Youtube Subs plugin. Attackers with Contributor-level access can inject malicious scripts that execute in the context of other users, including administrators, potentially leading to session hijacking, credential theft, unauthorized actions, or defacement. The compromise of administrative accounts could lead to full site takeover, data breaches, or further malware deployment. Since the vulnerability affects all versions up to 3.5, any unpatched or unmitigated site remains at risk. The impact extends to the confidentiality and integrity of user data and site content, although availability is not directly affected. Organizations with multiple contributors or less restrictive access controls are at higher risk. The lack of known exploits in the wild suggests limited active exploitation currently, but the medium severity and ease of exploitation by authenticated users make timely remediation critical to prevent future attacks.

Organizations should immediately audit their WordPress installations to identify the presence of the Get Youtube Subs plugin and its version. Until an official patch is released, administrators should restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. Implementing Web Application Firewall (WAF) rules to detect and block suspicious input patterns in the affected parameters ('channel', 'layout', 'subs_count') can provide temporary protection. Site administrators should also consider disabling or removing the plugin if it is not essential. Monitoring site content for unexpected script injections and conducting regular security scans can help detect exploitation attempts. Once a patch becomes available, prompt updating of the plugin is essential. Additionally, applying Content Security Policy (CSP) headers can mitigate the impact of XSS by restricting script execution sources. Educating contributors about safe input practices and limiting the use of untrusted content in plugin parameters will further reduce risk.