CVE-2021-24471

CVE-2021-24471: YouTube Embed < 5.2.2 - Contributor+ Stored XSS

Vendor Unknown
Product YouTube Embed
Weakness CWE-79 · XSS
Published August 16, 2021
Last update August 3, 2024

CVSS base score

What the vulnerability does

01Description

The YouTube Embed WordPress plugin before 5.2.2 does not validate, escape or sanitise some of its shortcode attributes, leading to Stored XSS issues by 1. using w, h, controls, cc_lang, color, language, start, stop, or style parameter of youtube shortcode, 2. by using style, class, rel, target, width, height, or alt parameter of youtube_thumb shortcode, or 3. by embedding a video whose title or description contains XSS payload (if API key is configured).

Key dates

02Disclosure timeline

August 16, 2021 CVE published
August 3, 2024 Record updated