CVE-2026-1825 is a stored Cross-Site Scripting vulnerability identified in the Show YouTube video WordPress plugin developed by minor. The flaw exists in all versions up to and including 1.1 due to insufficient sanitization and escaping of user input within the 'syv' shortcode attributes. This allows authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code into pages or posts. When other users access these pages, the injected scripts execute in their browsers under the context of the vulnerable site, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability is exploitable remotely over the network without requiring user interaction, but it does require authenticated access with contributor or higher permissions. The CVSS 3.1 base score is 6.4, reflecting a medium severity with partial impacts on confidentiality and integrity but no impact on availability. No public exploits have been reported yet, but the vulnerability poses a risk especially in environments where multiple users have editing rights. The root cause is CWE-79, improper neutralization of input during web page generation, a common web application security issue. The lack of patch links suggests that a fix may not yet be available, emphasizing the need for mitigation.

The primary impact of this vulnerability is the potential for attackers with contributor-level access to inject malicious scripts that execute in the browsers of other users, including administrators. This can lead to theft of authentication cookies, session tokens, or other sensitive information, enabling account takeover or privilege escalation. The integrity of site content can also be compromised by unauthorized script execution. Although availability is not affected, the confidentiality and integrity impacts can be significant, especially for sites with multiple users and sensitive data. Organizations relying on this plugin risk reputational damage, data breaches, and unauthorized administrative actions if the vulnerability is exploited. Since the exploit requires authenticated access, the threat is somewhat limited to insiders or compromised accounts but remains serious in collaborative environments. The lack of known exploits in the wild reduces immediate risk but does not eliminate it, as attackers may develop exploits once the vulnerability is public.

Organizations should immediately review user roles and permissions to ensure that only trusted users have contributor-level or higher access. Restricting contributor privileges can reduce the risk of exploitation. Until an official patch is released, consider disabling or uninstalling the Show YouTube video plugin if it is not essential. If the plugin is critical, implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns related to the 'syv' shortcode attributes. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly audit and sanitize existing content for injected scripts. Monitor user activity logs for unusual behavior from contributors. Educate users about the risks of XSS and encourage strong authentication practices. Once a patch is available, apply it promptly. Additionally, consider using alternative plugins with better security track records if feasible.