The plugin does not validate, sanitise and escape various of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
Put the following payload in the "Youtube API Key" or "YouTube Channel ID" settings and save: "><img src onerror=alert(/XSS/)> The Custom HTML settings is also affected: </textarea><img src onerror=alert(/XSS/)> Settings which are expected to be number also affected as they are only validated client side
Vinay Varma Mudunuri, Krishna Harsha Kondaveeti
Vinay Varma Mudunuri
Yes
2022-04-25 (about 2 months ago)
2022-04-25 (about 2 months ago)
2022-04-25 (about 2 months ago)