WordPress Plugin Vulnerabilities

Video Gallery < 1.3.13 - Admin+ Stored XSS

Description

The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
yotuwp-easy-youtube-embed
Fixed in 1.3.13

References

CVE
CVE-2023-25477

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
3d0b5f31-63a5-4a86-a187-32ea6c017649

Timeline

Publicly Published
2023-07-07 (about 10 months ago)
Added
2023-09-01 (about 8 months ago)
Last Updated
2023-09-01 (about 8 months ago)

Other

Published
Title
Published
2015-04-12
Title
Contact Form Plugin < 3.96 - XSS
Published
2019-06-26
Title
WebP Express < 0.14.8 - Authenticated Stored XSS
Published
2016-10-13
Title
Gravity Forms < 2.0.7 - Authenticated Blind Cross-Site Scripting (XSS)
Published
2016-04-26
Title
Gnucommerce < 0.5.7-beta - XSS
Published
2021-08-09
Title
ProfilePress < 3.1.11 - Unauthenticated Cross-Site Scripting (XSS) in tabbed login/register widget