YouTube Embed < 5.2.2 - Contributor+ Stored XSS
CVE-2021-24471

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Youtube Embed
Vendor: CVE Published:; 16 August 2021

What is CVE-2021-24471?

The YouTube Embed WordPress plugin before 5.2.2 does not validate, escape or sanitise some of its shortcode attributes, leading to Stored XSS issues by 1. using w, h, controls, cc_lang, color, language, start, stop, or style parameter of youtube shortcode, 2. by using style, class, rel, target, width, height, or alt parameter of youtube_thumb shortcode, or 3. by embedding a video whose title or description contains XSS payload (if API key is configured).

Affected Version(s)

YouTube Embed 5.2.2

References

https://wpscan.com/vulnerability/a8ccb09a-9f8c-448f-b2d0-...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 16, 2021
Vulnerability Reserved
Jan 14, 2021

Credit

apple502j