Automatic Youtube Video Posts Plugin <= 5.2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings | CVE 2023-49180 | Plugin Vulnerabilities

Description

The Automatic Youtube Video Posts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

automatic-youtube-video-posts

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/6a595b3c-2b21-43fe-8d4e-6721f4541c9b

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

yuyudhn

Verified

No

WPVDB ID

a769362d-6a39-4201-971d-cc7fe691d0b7

Timeline

Publicly Published

2023-11-29 (about 2 years ago)

Added

2023-12-08 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2016-04-12

Title

Simpel Reserveren 3 <= 3.5.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)

Published

2025-09-22

Title

SQL Chart Builder <= 2.3.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-09-30

Title

WP Bulk Delete < 1.3.2 - Reflected Cross-Site Scripting

Published

2024-05-27

Title

FV Flowplayer Video Player < 7.5.46.7212 - Reflected Cross-Site Scripting

Published

2025-04-17

Title

WP Post to PDF Enhanced <= 1.1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting