CVE-2021-24471 YouTube Embed < 5.2.2 - Contributor+ Stored XSS

2021-08-1610:48:22

CWE-79

WPScan

www.cve.org

cve-2021-24471

youtube embed

stored xss

wordpress plugin.

EPSS

0.001

Percentile

24.8%

JSON

The YouTube Embed WordPress plugin before 5.2.2 does not validate, escape or sanitise some of its shortcode attributes, leading to Stored XSS issues by 1. using w, h, controls, cc_lang, color, language, start, stop, or style parameter of youtube shortcode, 2. by using style, class, rel, target, width, height, or alt parameter of youtube_thumb shortcode, or 3. by embedding a video whose title or description contains XSS payload (if API key is configured).

CNA Affected

[
  {
    "product": "YouTube Embed",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "5.2.2",
        "status": "affected",
        "version": "5.2.2",
        "versionType": "custom"
      }
    ]
  }
]

References

wpscan.com/vulnerability/a8ccb09a-9f8c-448f-b2d0-9b01c3a748ac

EPSS

0.001

Percentile

24.8%

JSON

Related for CVELIST:CVE-2021-24471