Stored Cross-Site Scripting in Feeds for YouTube Plugin for WordPress
CVE-2023-4841

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Feeds for YouTube (YouTube video, channel, and gallery plugin)
Vendor: CVE Published:; 14 September 2023

Summary

The Feeds for YouTube plugin for WordPress poses a risk due to a Stored Cross-Site Scripting vulnerability present in versions up to and including 2.1. This flaw arises from inadequate input validation and output encoding on user-supplied attributes, particularly through the 'youtube-feed' shortcode. As a result, authenticated users with contributor-level permissions can execute arbitrary scripts on targeted pages, which may compromise user data and lead to further attacks. It is essential for users to update to the latest version to mitigate this risk.

Affected Version(s)

Feeds for YouTube (YouTube video, channel, and gallery plugin) * <= 2.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/feeds-for-yout...

https://plugins.trac.wordpress.org/changeset/2966017/feed...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 14, 2023
Vulnerability Reserved
Sep 8, 2023

Credit

Lana Codes