CVE-2021-24471

Name of the Vulnerable Software and Affected Versions YouTube Embed WordPress plugin versions prior to 5.2.2

Description The issue arises from the plugin's failure to validate, escape, or sanitize certain shortcode attributes, leading to Stored XSS issues. This can occur through various means, including using specific parameters of the youtube shortcode, such as w, h, controls, cc lang, color, language, start, stop, or style, or parameters of the youtube thumb shortcode, such as style, class, rel, target, width, height, or alt. Additionally, embedding a video with a title or description containing an XSS payload can also lead to issues if an API key is configured.

Recommendations For versions prior to 5.2.2, update to version 5.2.2 or later to resolve the issue. As a temporary workaround, consider disabling the use of vulnerable shortcode attributes until a patch is available. Restrict access to the youtube and youtube thumb shortcodes to minimize the risk of exploitation. Avoid using parameters such as w, h, controls, cc lang, color, language, start, stop, or style in the youtube shortcode, and style, class, rel, target, width, height, or alt in the youtube thumb shortcode, until the issue is resolved.