Youtube Channel Gallery <= 2.4 - Contributor+ Stored XSS via Shortcode

Vulnerability

The Youtube Channel Gallery WordPress plugin version 2.4 and earlier does not validate or escape some of its shortcode attributes before outputting them in a page or post where the shortcode is embedded. This allows users with the contributor role and above to inject arbitrary JavaScript, leading to stored cross-site scripting (XSS). The vulnerable shortcode attributes are processed without sanitization, making the attack possible whenever the shortcode is rendered. [1]

Exploitation

An attacker must have at least the contributor role in a WordPress site using the affected plugin. The attacker inserts a crafted shortcode with malicious JavaScript payloads in attributes such as channel, channel_title, playlist, or others that are not sanitized and are echoed back into the page. When the page is viewed by any user (including administrators), the payload executes in the context of the victim's browser. No additional user interaction is required beyond the victim visiting the compromised page. [1]

Impact

Successful exploitation allows an attacker with contributor privileges to execute arbitrary JavaScript in the browsers of other users, including administrators. This can lead to session hijacking, credential theft, defacement, or unauthorized actions on behalf of the victimized user. The stored nature of the XSS means the payload persists until the malicious shortcode is removed. [1]

Mitigation

As of the disclosure date (2023-01-18), no official fix has been released by the plugin vendor; the latest affected version is 2.4. Users are advised to remove or replace the plugin with an alternative, restrict contributor roles from using shortcodes where feasible, and apply a web application firewall rule to block XSS payloads in shortcode attributes. The vulnerability is listed in the WordPress Plugin Vulnerabilities database but has no known patch. [1]