A high-severity code injection vulnerability in the emarket-design YouTube Showcase plugin allows a remote attacker to perform object injection, potentially leading to arbitrary code execution on the web server.

The plugin fails to properly sanitize user-supplied input, leading to a PHP Object Injection vulnerability. A remote, potentially unauthenticated attacker can submit a specially crafted payload that, when deserialized by the application, can trigger malicious code execution.

This vulnerability is rated High with a CVSS score of 8.1. A successful exploit could result in a full compromise of the web application and the underlying server. Potential consequences include theft of sensitive data from the website's database, website defacement, or using the compromised server to host malware or attack other systems.

Immediate Action: Update the emarket-design YouTube Showcase plugin to the latest patched version as specified by the vendor. If a patch is not available, disable and uninstall the plugin immediately.

Proactive Monitoring: Review web server access logs for unusual POST requests containing serialized PHP object strings. Monitor file systems for unexpected new or modified PHP files, which could indicate a successful webshell upload.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules designed to detect and block PHP Object Injection and other code injection attacks. This can provide a layer of protection while patches are being deployed.

Public Exploit Available: false

The risk of remote code execution makes this a critical vulnerability to address. All instances of the YouTube Showcase plugin must be updated without delay. If an update cannot be performed, the plugin must be removed to eliminate the attack surface and protect the web server from compromise.