Stored Cross-Site Scripting in Feeds for YouTube Plugin for WordPress
CVE-2023-4841
6.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 14 September 2023
What is CVE-2023-4841?
The Feeds for YouTube plugin for WordPress poses a risk due to a Stored Cross-Site Scripting vulnerability present in versions up to and including 2.1. This flaw arises from inadequate input validation and output encoding on user-supplied attributes, particularly through the 'youtube-feed' shortcode. As a result, authenticated users with contributor-level permissions can execute arbitrary scripts on targeted pages, which may compromise user data and lead to further attacks. It is essential for users to update to the latest version to mitigate this risk.
Affected Version(s)
Feeds for YouTube (YouTube video, channel, and gallery plugin) * <= 2.1