WordPress Plugin Vulnerabilities

YouTube Embed < 5.2.2 - Contributor+ Stored XSS

Description

The plugin does not validate, escape or sanitise some of its shortcode attributes, leading to Stored XSS issues by 1. using w, h, controls, cc_lang, color, language, start, stop, or style parameter of youtube shortcode, 2. by using style, class, rel, target, width, height, or alt parameter of youtube_thumb shortcode, or 3. by embedding a video whose title or description contains XSS payload (if API key is configured).

Proof of Concept

Affects Plugins

Plugin icon
youtube-embed
Fixed in 5.2.2

References

CVE
CVE-2021-24471

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
a8ccb09a-9f8c-448f-b2d0-9b01c3a748ac

Timeline

Publicly Published
2021-07-19 (about 4 years ago)
Added
2021-07-19 (about 4 years ago)
Last Updated
2021-08-10 (about 4 years ago)

Other

Published
Title
Published
2024-11-08
Title
GreenCon <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2021-08-24
Title
Recipe Card Blocks < 2.8.3 - Contributor+ Stored Cross-Site Scripting
Published
2024-10-24
Title
Image Map Pro < 6.0.21 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-05-23
Title
Zephyr Project Manager < 3.2.41 - Reflected Cross-Site Scripting
Published
2024-01-03
Title
ARForms < 1.5.9 - Unauthenticated Stored XSS