CVE-2021-24471 - OpenCVE

The YouTube Embed WordPress plugin before 5.2.2 does not validate, escape or sanitise some of its shortcode attributes, leading to Stored XSS issues by 1. using w, h, controls, cc_lang, color, language, start, stop, or style parameter of youtube shortcode, 2. by using style, class, rel, target, width, height, or alt parameter of youtube_thumb shortcode, or 3. by embedding a video whose title or description contains XSS payload (if API key is configured).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:H/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Youtube Embed Project	Youtube Embed

Configuration 1 [-]

cpe:2.3:a:youtube_embed_project:youtube_embed:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://wpscan.com/vulnerability/a8ccb09a-9f8c-448f-b2d0-9b01c3a748ac

History

No history.

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2021-08-16T10:48:22

Updated: 2024-08-03T19:35:19.727Z

Reserved: 2021-01-14T00:00:00

Link: CVE-2021-24471

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-08-16T11:15:08.447

Modified: 2021-08-23T18:54:26.930

Link: CVE-2021-24471

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "YouTube Embed", "vendor": "Unknown", "versions": [{"lessThan": "5.2.2", "status": "affected", "version": "5.2.2", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "apple502j"}], "descriptions": [{"lang": "en", "value": "The YouTube Embed WordPress plugin before 5.2.2 does not validate, escape or sanitise some of its shortcode attributes, leading to Stored XSS issues by 1. using w, h, controls, cc_lang, color, language, start, stop, or style parameter of youtube shortcode, 2. by using style, class, rel, target, width, height, or alt parameter of youtube_thumb shortcode, or 3. by embedding a video whose title or description contains XSS payload (if API key is configured)."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-08-16T10:48:22", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wpscan.com/vulnerability/a8ccb09a-9f8c-448f-b2d0-9b01c3a748ac"}], "source": {"discovery": "UNKNOWN"}, "title": "YouTube Embed < 5.2.2 - Contributor+ Stored XSS", "x_generator": "WPScan CVE Generator", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "contact@wpscan.com", "ID": "CVE-2021-24471", "STATE": "PUBLIC", "TITLE": "YouTube Embed < 5.2.2 - Contributor+ Stored XSS"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "YouTube Embed", "version": {"version_data": [{"version_affected": "<", "version_name": "5.2.2", "version_value": "5.2.2"}]}}]}, "vendor_name": "Unknown"}]}}, "credit": [{"lang": "eng", "value": "apple502j"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The YouTube Embed WordPress plugin before 5.2.2 does not validate, escape or sanitise some of its shortcode attributes, leading to Stored XSS issues by 1. using w, h, controls, cc_lang, color, language, start, stop, or style parameter of youtube shortcode, 2. by using style, class, rel, target, width, height, or alt parameter of youtube_thumb shortcode, or 3. by embedding a video whose title or description contains XSS payload (if API key is configured)."}]}, "generator": "WPScan CVE Generator", "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://wpscan.com/vulnerability/a8ccb09a-9f8c-448f-b2d0-9b01c3a748ac", "refsource": "MISC", "url": "https://wpscan.com/vulnerability/a8ccb09a-9f8c-448f-b2d0-9b01c3a748ac"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:35:19.727Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wpscan.com/vulnerability/a8ccb09a-9f8c-448f-b2d0-9b01c3a748ac"}]}]}, "cveMetadata": {"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2021-24471", "datePublished": "2021-08-16T10:48:22", "dateReserved": "2021-01-14T00:00:00", "dateUpdated": "2024-08-03T19:35:19.727Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:youtube_embed_project:youtube_embed:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "48D29224-0B88-40F7-9914-AA911F2628E7", "versionEndExcluding": "5.2.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The YouTube Embed WordPress plugin before 5.2.2 does not validate, escape or sanitise some of its shortcode attributes, leading to Stored XSS issues by 1. using w, h, controls, cc_lang, color, language, start, stop, or style parameter of youtube shortcode, 2. by using style, class, rel, target, width, height, or alt parameter of youtube_thumb shortcode, or 3. by embedding a video whose title or description contains XSS payload (if API key is configured)."}, {"lang": "es", "value": "El plugin YouTube Embed WordPress versiones anteriores a 5.2.2, no comprueba, escapa o sanea algunos de sus atributos de shortcode, conllevando a problemas de tipo XSS Almacenado al 1. Usar los par\u00e1metros w, h, controls, cc_lang, color, language, start, stop, o style del shortcode youtube, 2. usar los par\u00e1metros style, class, rel, target, width, height, o alt del shortcode youtube_thumb, o 3. insertar un v\u00eddeo cuyo t\u00edtulo o descripci\u00f3n contenga carga \u00fatil de tipo XSS (si la clave API est\u00e1 configurada)."}], "id": "CVE-2021-24471", "lastModified": "2021-08-23T18:54:26.930", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-08-16T11:15:08.447", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/a8ccb09a-9f8c-448f-b2d0-9b01c3a748ac"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "contact@wpscan.com", "type": "Primary"}]}