Stored Cross-Site Scripting in Feeds for YouTube Plugin for WordPress
CVE-2023-4841

6.4MEDIUM

Key Information:

Vendor

WordPress
Status
Feeds For Youtube (youtube Video, Channel, And Gallery Plugin)
Vendor
CVE Published:
14 September 2023

What is CVE-2023-4841?

The Feeds for YouTube plugin for WordPress poses a risk due to a Stored Cross-Site Scripting vulnerability present in versions up to and including 2.1. This flaw arises from inadequate input validation and output encoding on user-supplied attributes, particularly through the 'youtube-feed' shortcode. As a result, authenticated users with contributor-level permissions can execute arbitrary scripts on targeted pages, which may compromise user data and lead to further attacks. It is essential for users to update to the latest version to mitigate this risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Feeds for YouTube (YouTube video, channel, and gallery plugin) * <= 2.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/feeds-for-yout...
https://plugins.trac.wordpress.org/changeset/2966017/feed...

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Lana Codes
JSON
.