CVE-2024-11788

Vulnerability

Analysis

The StreamWeasels YouTube Integration plugin for WordPress, in all versions up to and including 1.3.6, is vulnerable to Stored Cross-Site Scripting (XSS) via the sw-youtube-embed shortcode. The root cause is insufficient input sanitization and output escaping on user-supplied attributes processed by this shortcode [1].

Exploitation

Method

An authenticated attacker with at least contributor-level access can inject arbitrary web scripts through the shortcode attributes. When a user (including administrators) accesses a page containing the injected shortcode, the malicious script executes in the context of the victim's browser. No additional privileges beyond the contributor role are required for the injection step, though the injected payload is stored and will execute for any visitor [1].

Impact

Successful exploitation allows an attacker to perform actions such as session hijacking, defacement, or redirection to malicious sites, potentially compromising the entire WordPress site. Stored XSS of this nature can lead to privilege escalation if an administrator visits the affected page, as the injected script could capture admin session tokens or perform administrative actions on behalf of the victim [1].

Mitigation

The vulnerability is present in versions up to and including 1.3.6. Users should update the plugin to a patched version if available, or remove the plugin if no update is provided. As of the publication date (2024-11-28), the vendor may not have released a fix; administrators should monitor the plugin's official page for updates and consider restricting contributor-level access in the interim [1].