Playlist for Youtube < 1.40 – Editor+ Stored XSS | CVE 2024-3937 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Proof of Concept

1. Go to https://example.com/wp-admin/admin.php?page=playlists_yt_free
2. For the Playlist Name and/or Video size add the payload `"><script>alert(1)</script>`
3. Click "Add" and see the XSS

Affects Plugins

playlist-for-youtube

Fixed in 1.40

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Erdemstar

Submitter

Erdemstar

Submitter website

https://erdemstar.com.tr

Verified

Yes

WPVDB ID

0cd5b288-05b3-48b7-9245-f59ce7377861

Timeline

Publicly Published

2024-05-08 (about 1 year ago)

Added

2024-05-08 (about 1 year ago)

Last Updated

2025-03-18 (about 9 months ago)

Other

Published

Title

Published

2025-08-05

Title

Seriously Simple Podcasting < 3.12.0 - Authenticated (Editor+) Stored Cross-Site Scripting

Published

2024-12-11

Title

Schema App Structured Data < 2.2.5 - Reflected Cross-Site Scripting

Published

2023-03-20

Title

Simple Giveaways < 2.45.1 - Admin+ Stored XSS

Published

2014-08-01

Title

WP App Maker 1.0.16.4 - icons-launcher.php uid Parameter Reflected XSS

Published

2024-08-07

Title

ComboBlocks < 2.2.87 - Authenticated (Contributor+) Stored Cross-Site Scripting