CVE-2021-24464: 
WordPress vulnerability analysis and mitigation

The YouTube Embed, Playlist and Popup by WpDevArt WordPress plugin before version 2.3.9 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and publicly disclosed on June 28, 2021, and was assigned CVE-2021-24464. The issue affects users with roles as low as Contributor, making it an authenticated vulnerability (WPScan).

The vulnerability stems from the plugin's failure to properly escape, validate, or sanitize certain shortcode options. Specifically, the align, width, and height parameters of the wpdevart_youtube shortcode are left unescaped. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated users with Contributor-level access or higher to inject malicious JavaScript code into WordPress pages through the plugin's shortcode parameters. The stored XSS payload would then execute when other users view the affected pages, potentially leading to session hijacking, credential theft, or other client-side attacks (WPScan).

The vulnerability has been fixed in version 2.3.9 of the YouTube Embed, Playlist and Popup plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).