{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3299", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-26T20:16:06.090Z", "datePublished": "2026-04-16T01:24:34.807Z", "dateUpdated": "2026-04-16T01:24:34.807Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-16T01:24:34.807Z"}, "affected": [{"vendor": "futtta", "product": "WP YouTube Lyte", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.7.29", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP YouTube Lyte plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'lyte' shortcode in all versions up to, and including, 1.7.29 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "WP YouTube Lyte <= 1.7.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via lyte Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/de09d051-d124-4397-bd1c-b193acd6c186?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3482595/wp-youtube-lyte"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-02-28T09:57:08.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-15T12:25:22.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP YouTube Lyte plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'lyte' shortcode in all versions up to, and including, 1.7.29 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-3299", "lastModified": "2026-04-16T02:16:11.533", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-16T02:16:11.533", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3482595/wp-youtube-lyte"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/de09d051-d124-4397-bd1c-b193acd6c186?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T02:11:56.791215+00:00", "value": {"mitigation_remediation": ["Upgrade the WP YouTube Lyte plugin to the latest release that resolves the shortcode sanitization issue.", "Inspect existing posts, pages, and custom content for occurrences of the lyte shortcode with suspicious attributes and either sanitize or delete the malicious entries before publishing.", "If an immediate upgrade is not possible, restrict contributor\u2011level users from editing content that includes the lyte shortcode, or use a security plugin to block shortcode usage for certain user roles."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects any installation of the WP YouTube Lyte plugin version 1.7.29 or earlier. All users of the plugin on WordPress sites should verify the installed version and consider upgrading to the next release.", "description_and_impact": "The WP YouTube Lyte plugin, a WordPress extension used to embed YouTube videos more efficiently, contains an insufficiently sanitized user input handling for the 'lyte' shortcode, which allows a contributor\u2011level user to inject arbitrary JavaScript into posts or pages. This stored cross\u2011site scripting flaw is cataloged as CWE\u201179 and can compromise the confidentiality, integrity, and availability of the site by executing malicious scripts in the context of any visitor who loads a page containing the maliciously crafted shortcode.", "risk_and_exploitability": "With a CVSS score of 6.4, the flaw is considered moderate severity. Since the EPSS score is not available and the issue is not listed in the CISA KEV catalog, the likelihood of exploitation appears low at the moment, but the vulnerability requires authenticated access at the contributor level, which many sites grant to regular content authors. Attackers can exploit the flaw by adding or editing shortcodes after gaining contributor rights, and the injected code will run when any site visitor views the affected page."}}}}, "created": "2026-04-16T02:15:21.322579+00:00", "updated": "2026-04-16T02:15:21.322609+00:00", "vendors": []}