CVE-2025-7966 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Get Youtube Subs plugin for WordPress, developed by zohaib167. This vulnerability affects all versions up to and including version 3.5 of the plugin. The root cause is improper neutralization of input during web page generation, specifically insufficient input sanitization and output escaping of the 'channel', 'layout', and 'subs_count' parameters. An authenticated attacker with Contributor-level access or higher can exploit this flaw by injecting arbitrary malicious scripts into pages generated by the plugin. These scripts are then stored persistently and executed whenever any user accesses the compromised page. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based (remote), with low attack complexity, requiring privileges (Contributor or above), no user interaction, and results in a scope change due to the potential impact on other users. The impact affects confidentiality and integrity, allowing attackers to execute scripts that could steal session cookies, perform actions on behalf of users, or manipulate page content. No known exploits are currently reported in the wild, and no official patches have been linked yet. Given the nature of WordPress plugins and their widespread use, this vulnerability poses a significant risk to websites using this plugin, especially those with multiple users or contributors.

For European organizations using WordPress websites with the Get Youtube Subs plugin, this vulnerability could lead to unauthorized script execution affecting site visitors and administrators. Potential impacts include theft of authentication tokens, leading to account takeover, unauthorized actions performed on behalf of legitimate users, defacement or manipulation of website content, and possible distribution of malware to visitors. Since the vulnerability requires Contributor-level access, insider threats or compromised contributor accounts pose a significant risk. The confidentiality and integrity of user data and site content are at risk, which could damage organizational reputation and lead to regulatory compliance issues under GDPR if personal data is compromised. The scope of impact extends beyond the initial compromised account due to the stored nature of the XSS, affecting all users who visit the injected pages. Although availability is not directly impacted, the indirect effects such as loss of trust and potential blacklisting by search engines could affect business continuity and online presence.

European organizations should immediately audit their WordPress installations to identify the presence of the Get Youtube Subs plugin and its version. Until an official patch is released, organizations should consider disabling or removing the plugin to eliminate the attack surface. Implement strict role-based access controls to limit Contributor-level permissions only to trusted users and regularly review user privileges. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious input patterns related to the vulnerable parameters ('channel', 'layout', 'subs_count'). Enable Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the website. Conduct regular security training for contributors to recognize phishing and social engineering attempts that could lead to account compromise. Monitor website logs for unusual activity or script injections. Once a patch becomes available, prioritize prompt application of updates. Additionally, implement input validation and output encoding best practices in custom code to prevent similar vulnerabilities.