CVE-2025-15636

Video Gallery – YouTube Gallery & Responsive Video Playlist <= 3.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.4

CVSS Score

6.4

CVSS Score

medium

Severity

3.5.2

Patched in

Time to patch

Description

The Video Gallery – YouTube Gallery & Responsive Video Playlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Low

Confidentiality

Low

Integrity

None

Availability

Technical Details

Affected versions<=3.5.1

PublishedApril 15, 2026

Last updatedApril 21, 2026

Affected pluginyoutube-showcase

What Changed in the Fix

Changes introduced in v3.5.2

Loading patch diff...

Source Code

WordPress.org SVN

Vulnerable v3.5.1

Browse source Download .zip

Patched v3.5.2

Browse source Download .zip

Research Plan

Unverified

```markdown # Exploitation Research Plan - CVE-2025-15636 ## 1. Vulnerability Summary The **Video Gallery – YouTube Gallery & Responsive Video Playlist** plugin (up to 3.5.1) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin allows users with Contri…

Show full research plan

# Exploitation Research Plan - CVE-2025-15636

## 1. Vulnerability Summary
The **Video Gallery – YouTube Gallery & Responsive Video Playlist** plugin (up to 3.5.1) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin allows users with Contributor-level access (and potentially lower via AJAX) to save metadata for "Video" (`emd_video`) entities without sufficient sanitization, and subsequently displays this data in the WordPress admin dashboard or frontend gallery without proper output escaping.

The primary sink appears to be the **Video Key** (`emd_video_key`) field or other video metadata fields processed through the `emd-form-builder-lite` component.

## 2. Attack Vector Analysis
- **Vulnerable Endpoint**: `/wp-admin/admin-ajax.php`
- **AJAX Action**: `emd_formb_lite_submit_ajax_form` (available to both authenticated and unauthenticated users via `nopriv`).
- **Alternative Endpoint**: Standard WordPress Post Edit/Save for `emd_video` post type (if capability mapping allows Contributors).
- **Vulnerable Parameter**: `form_data` array (specifically fields mapping to video metadata like `emd_video_key`).
- **Required Authentication**: Contributor+ (as per advisory), though the `nopriv` AJAX registration suggests potential unauthenticated access if a form ID is known.
- **Preconditions**: A form for video submission must

Research Findings

Static analysis — not yet PoC-verified

Summary

The Video Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting because it fails to properly sanitize and escape the 'noaccess_msg' form setting. Authenticated attackers with contributor-level permissions can inject arbitrary web scripts into this configuration field, which then execute in the context of any user who encounters the 'unauthorized access' message on a form-protected page.

Vulnerable Code

// includes/emd-form-builder-lite/emd-form-frontend.php:473
		} else {
			$noaccess_msg = $fcontent['settings']['noaccess_msg'];
			return "<div class='alert alert-info not-authorized'>" . $noaccess_msg . "</div>";
		}

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/youtube-showcase/3.5.1/includes/emd-form-builder-lite/emd-form-frontend.php /home/deploy/wp-safety.org/data/plugin-versions/youtube-showcase/3.5.2/includes/emd-form-builder-lite/emd-form-frontend.php
--- /home/deploy/wp-safety.org/data/plugin-versions/youtube-showcase/3.5.1/includes/emd-form-builder-lite/emd-form-frontend.php	2025-05-19 14:51:56.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/youtube-showcase/3.5.2/includes/emd-form-builder-lite/emd-form-frontend.php	2025-08-07 16:03:10.000000000 +0000
@@ -470,8 +470,8 @@
 			}
 			return emd_form_builder_lite_render_form($myform->ID,$app,$fcontent,$error,$status,$atts_set);	
 		} else {
-			$noaccess_msg = $fcontent['settings']['noaccess_msg'];
-			return "<div class='alert alert-info not-authorized'>" . $noaccess_msg . "</div>";
+			$noaccess_msg = sanitize_text_field($fcontent['settings']['noaccess_msg']);
+			return "<div class='alert alert-info not-authorized'>" . esc_html($noaccess_msg) . "</div>";
 		}
 	}
 }

Exploit Outline

1. Log in to the WordPress dashboard as a user with Contributor-level access or higher. 2. Navigate to the form builder settings (via the plugin's 'Forms' menu or the custom field builder). 3. Create or edit a form configuration, locating the 'No Access Message' (noaccess_msg) setting under General/Security tabs. 4. Inject a script payload into the 'No Access Message' field, such as: <script>alert('XSS')</script>. 5. Save the form configuration. The payload will be stored within the JSON-encoded content of the form entity. 6. Embed the form on a post or page using its shortcode. 7. Visit the page as a user who does not have access to the form (e.g., an unauthenticated user if registration/login is required). The plugin will display the injected 'No Access Message' directly without escaping, triggering the execution of the script.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/fa701f35-88b6-4ba9-bbda-0cbb1b341d84?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database