The YouTube Embed WordPress plugin before 5.2.2 does not validate, escape or sanitise some of its shortcode attributes, leading to Stored XSS issues by 1. using w, h, controls, cc_lang, color, language, start, stop, or style parameter of youtube shortcode, 2. by using style, class, rel, target, width, height, or alt parameter of youtube_thumb shortcode, or 3. by embedding a video whose title or description contains XSS payload (if API key is configured).
References
Link | Resource |
---|---|
https://wpscan.com/vulnerability/a8ccb09a-9f8c-448f-b2d0-9b01c3a748ac | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: WPScan
Published: 2021-08-16T10:48:22
Updated: 2021-08-16T10:48:22
Reserved: 2021-01-14T00:00:00
Link: CVE-2021-24471
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-08-16T11:15:08.447
Modified: 2021-08-23T18:54:26.930
Link: CVE-2021-24471
JSON object: View
Redhat Information
No data.
CWE