CVE-2024-10185

The StreamWeasels YouTube Integration plugin for WordPress (versions up to 1.3.2) contains a stored cross-site scripting (XSS) vulnerability in its sw-youtube-embed shortcode. The plugin fails to properly sanitize user-supplied attributes and escape output, allowing malicious input to be stored and rendered as HTML in pages.

Exploitation requires an authenticated WordPress user with at least contributor-level access. The attacker can inject arbitrary web scripts by crafting a shortcode with malicious attributes. When other users, including administrators, visit the affected page, the injected script executes in their browsers, potentially leading to session hijacking or further attacks.

The impact is high within the context of a compromised site, as an attacker can steal cookies, redirect users, or perform actions on behalf of the victim. The CVSS v3 score of 6.4 indicates a medium severity, reflecting the need for authentication and the potential for credential theft.

WordPress plugin repository likely includes the patched version after 1.3.2. Users are strongly recommended to update the plugin to the latest available version to mitigate this vulnerability [1].