CVE-2017-6817
Description
In WordPress before 4.7.3 (wp-includes/embed.php), there is authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated XSS in WordPress before 4.7.3 via improper sanitization of YouTube URL embeds.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the wp_embed_handler_youtube function in wp-includes/embed.php of WordPress versions before 4.7.3 [1], [2]. The YouTube video ID extracted from a URL is not URL-encoded before being passed to the autoembed function, allowing an attacker to inject arbitrary JavaScript that executes in the context of a user's browser when they view a post or page containing the crafted embed [1], [2]. The fix in commit 419c8d9 applies urlencode() to the video ID [2].
Exploitation
An attacker needs authenticated access with the ability to insert or edit posts/pages containing YouTube embeds. By crafting a malicious YouTube URL with a video ID containing JavaScript payloads (e.g., " onload=alert(1)), the unsanitized ID is reflected into the embed output. When another user (including an administrator) views the affected content, the injected script executes in their browser session [1].
Impact
Successful exploitation leads to reflected cross-site scripting (XSS) within the WordPress admin or front-end, depending on where the embed is rendered. An attacker could perform actions such as stealing session cookies, modifying site content, or escalating privileges by targeting an administrator user [1]. The CVSS v3 severity is Medium (5.4) due to the requirement for authenticated access and user interaction.
Mitigation
The vulnerability is fixed in WordPress 4.7.3, released on March 6, 2017 [1]. Users must update to WordPress 4.7.3 or later. No workaround exists other than filtering YouTube embed inputs manually. The full list of security fixes in 4.7.3 includes this issue among six others [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*range: <=4.7.2
- (no CPE)range: <4.7.3
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Patches
1419c8d97ce8dEmbeds: URL encode YouTube video IDs for broader compatibility.
2 files changed · +2 −2
wp-includes/embed.php+1 −1 modified@@ -226,7 +226,7 @@ function wp_maybe_load_embeds() { */ function wp_embed_handler_youtube( $matches, $attr, $url, $rawattr ) { global $wp_embed; - $embed = $wp_embed->autoembed( "https://youtube.com/watch?v={$matches[2]}" ); + $embed = $wp_embed->autoembed( sprintf( "https://youtube.com/watch?v=%s", urlencode( $matches[2] ) ) ); /** * Filters the YoutTube embed output.
wp-includes/version.php+1 −1 modified@@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.8-alpha-40148'; +$wp_version = '4.8-alpha-40160'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
Vulnerability mechanics
Root cause
"Missing output encoding of the YouTube video ID before interpolation into the embed URL allows stored XSS."
Attack vector
An authenticated attacker with the ability to post or edit content can craft a YouTube URL containing a malicious video ID with embedded JavaScript, such as `[youtube=https://www.youtube.com/watch?v=alert(1)]`. When WordPress processes the embed shortcode, the unencoded video ID is interpolated into the embed URL, and the resulting HTML is rendered in a victim's browser, executing the attacker's script. The attack requires the victim to view the page containing the crafted embed, and the attacker must have at least Contributor-level access to insert embeds [CWE-79].
Affected code
The vulnerable code is in `wp-includes/embed.php` in the `wp_embed_handler_youtube()` function. The YouTube video ID extracted from `$matches[2]` was passed directly into the URL string without encoding, allowing attacker-controlled characters to break out of the URL context.
What the fix does
The patch wraps the video ID in `urlencode()` before interpolating it into the embed URL, changing `{$matches[2]}` to `urlencode( $matches[2] )` via `sprintf`. This ensures that any special characters (quotes, angle brackets, parentheses) in the video ID are percent-encoded, preventing them from breaking out of the URL attribute context in the generated HTML. The version bump in `wp-includes/version.php` is incidental.
Preconditions
- authAttacker must have an account with at least Contributor-level access to post or edit content containing embeds.
- inputThe victim must visit a page that renders the crafted YouTube embed.
- configWordPress must have oEmbed or embed shortcode processing enabled (default).
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- codex.wordpress.org/Version_4.7.3nvdPatchVendor Advisory
- github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8nvdIssue TrackingPatchThird Party Advisory
- wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/nvdPatchRelease NotesVendor Advisory
- wpvulndb.com/vulnerabilities/8768nvdPatchThird Party Advisory
- www.debian.org/security/2017/dsa-3815nvdThird Party Advisory
- www.securityfocus.com/bid/96601nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1037959nvdThird Party AdvisoryVDB Entry
News mentions
0No linked articles in our index yet.