YourChannel: Everything you want in a YouTube plugin < 1.2.3 - Contributor+ Stored XSS via Shortcode

Vulnerability

The YourChannel: Everything you want in a YouTube plugin for WordPress versions prior to 1.2.3 fails to validate and escape some of its shortcode attributes before outputting them in the page. This allows users with a role as low as contributor to inject arbitrary HTML and JavaScript into posts or pages using the vulnerable shortcode. The affected plugin is used to embed YouTube content via custom shortcodes.

Exploitation

An attacker must have a WordPress account with at least the contributor role. To exploit the vulnerability, the attacker crafts a post or page containing the vulnerable shortcode with a malicious payload in one of the unescaped attributes. When the post is viewed by a higher-privilege user (such as an administrator), the stored script executes in their browser session. No additional user interaction beyond viewing the compromised page is required.

Impact

Successful exploitation leads to Stored Cross-Site Scripting (XSS). An attacker can perform actions on behalf of the victim admin, such as creating new administrative accounts, modifying site content, or installing malicious plugins, effectively achieving full site compromise if the victim has sufficient privileges.

Mitigation

The vulnerability is fixed in version 1.2.3 of the plugin, which was released prior to the public disclosure on January 10, 2023 [1]. Users should update to version 1.2.3 or later immediately. No workarounds are provided, and the plugin repository reflects the fixed version.