[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fEO6RlPceanScgE_gUU7Sxvi9NRIXmqyfEW-0Sp7tSnI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2025-15636","video-gallery-youtube-gallery-responsive-video-playlist-authenticated-contributor-stored-cross-site-scripting","Video Gallery – YouTube Gallery & Responsive Video Playlist \u003C= 3.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Video Gallery – YouTube Gallery & Responsive Video Playlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","youtube-showcase",null,"\u003C=3.5.1","3.5.2","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-15 00:00:00","2026-04-21 15:02:12",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ffa701f35-88b6-4ba9-bbda-0cbb1b341d84?source=api-prod",7,[22,23,24,25,26,27,28,29],"includes\u002Fadmin\u002Fgetting-started.php","includes\u002Fclass-install-deactivate.php","includes\u002Femd-form-builder-lite\u002Femd-form-frontend.php","includes\u002Femd-form-builder-lite\u002Femd-form-settings.php","includes\u002Femd-lite\u002Femd-lite.php","includes\u002Fentities\u002Fclass-emd-entity.php","includes\u002Fwidget-functions.php","lang\u002Fyoutube-showcase.pot","researched",false,3,"```markdown\n# Exploitation Research Plan - CVE-2025-15636\n\n## 1. Vulnerability Summary\nThe **Video Gallery – YouTube Gallery & Responsive Video Playlist** plugin (up to 3.5.1) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin allows users with Contributor-level access (and potentially lower via AJAX) to save metadata for \"Video\" (`emd_video`) entities without sufficient sanitization, and subsequently displays this data in the WordPress admin dashboard or frontend gallery without proper output escaping.\n\nThe primary sink appears to be the **Video Key** (`emd_video_key`) field or other video metadata fields processed through the `emd-form-builder-lite` component.\n\n## 2. Attack Vector Analysis\n- **Vulnerable Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **AJAX Action**: `emd_formb_lite_submit_ajax_form` (available to both authenticated and unauthenticated users via `nopriv`).\n- **Alternative Endpoint**: Standard WordPress Post Edit\u002FSave for `emd_video` post type (if capability mapping allows Contributors).\n- **Vulnerable Parameter**: `form_data` array (specifically fields mapping to video metadata like `emd_video_key`).\n- **Required Authentication**: Contributor+ (as per advisory), though the `nopriv` AJAX registration suggests potential unauthenticated access if a form ID is known.\n- **Preconditions**: A form for video submission must","The Video Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting because it fails to properly sanitize and escape the 'noaccess_msg' form setting. Authenticated attackers with contributor-level permissions can inject arbitrary web scripts into this configuration field, which then execute in the context of any user who encounters the 'unauthorized access' message on a form-protected page.","\u002F\u002F includes\u002Femd-form-builder-lite\u002Femd-form-frontend.php:473\n\t\t} else {\n\t\t\t$noaccess_msg = $fcontent['settings']['noaccess_msg'];\n\t\t\treturn \"\u003Cdiv class='alert alert-info not-authorized'>\" . $noaccess_msg . \"\u003C\u002Fdiv>\";\n\t\t}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fyoutube-showcase\u002F3.5.1\u002Fincludes\u002Femd-form-builder-lite\u002Femd-form-frontend.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fyoutube-showcase\u002F3.5.2\u002Fincludes\u002Femd-form-builder-lite\u002Femd-form-frontend.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fyoutube-showcase\u002F3.5.1\u002Fincludes\u002Femd-form-builder-lite\u002Femd-form-frontend.php\t2025-05-19 14:51:56.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fyoutube-showcase\u002F3.5.2\u002Fincludes\u002Femd-form-builder-lite\u002Femd-form-frontend.php\t2025-08-07 16:03:10.000000000 +0000\n@@ -470,8 +470,8 @@\n \t\t\t}\n \t\t\treturn emd_form_builder_lite_render_form($myform->ID,$app,$fcontent,$error,$status,$atts_set);\t\n \t\t} else {\n-\t\t\t$noaccess_msg = $fcontent['settings']['noaccess_msg'];\n-\t\t\treturn \"\u003Cdiv class='alert alert-info not-authorized'>\" . $noaccess_msg . \"\u003C\u002Fdiv>\";\n+\t\t\t$noaccess_msg = sanitize_text_field($fcontent['settings']['noaccess_msg']);\n+\t\t\treturn \"\u003Cdiv class='alert alert-info not-authorized'>\" . esc_html($noaccess_msg) . \"\u003C\u002Fdiv>\";\n \t\t}\n \t}\n }","1. Log in to the WordPress dashboard as a user with Contributor-level access or higher.\n2. Navigate to the form builder settings (via the plugin's 'Forms' menu or the custom field builder).\n3. Create or edit a form configuration, locating the 'No Access Message' (noaccess_msg) setting under General\u002FSecurity tabs.\n4. Inject a script payload into the 'No Access Message' field, such as: \u003Cscript>alert('XSS')\u003C\u002Fscript>.\n5. Save the form configuration. The payload will be stored within the JSON-encoded content of the form entity.\n6. Embed the form on a post or page using its shortcode.\n7. Visit the page as a user who does not have access to the form (e.g., an unauthenticated user if registration\u002Flogin is required). The plugin will display the injected 'No Access Message' directly without escaping, triggering the execution of the script.","gemini-3-flash-preview","2026-04-27 14:40:54","2026-04-27 14:41:46",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.5.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fyoutube-showcase\u002Ftags\u002F3.5.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fyoutube-showcase.3.5.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fyoutube-showcase\u002Ftags\u002F3.5.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fyoutube-showcase.3.5.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fyoutube-showcase\u002Ftags"]