CVE-2024-3937

Name of the Vulnerable Software and Affected Versions Playlist for Youtube WordPress plugin versions 1.32 and earlier

Description The issue concerns a Stored Cross-Site Scripting attack. High privilege users, such as admins, can exploit this even when the unfiltered html capability is disallowed, for example, in multisite setups. The vulnerability arises from the plugin's failure to sanitise and escape some of its settings.

Recommendations For versions 1.32 and earlier, update to a version that addresses this issue. As a temporary workaround, consider restricting the ability of high privilege users to modify plugin settings until a patch is available. Avoid using potentially malicious input in settings such as the Playlist Name and Video size.