CVE-2021-24471: 
WordPress vulnerability analysis and mitigation

The YouTube Embed WordPress plugin (versions before 5.2.2) was identified with CVE-2021-24471, discovered and publicly disclosed on July 19, 2021. This vulnerability affects the plugin's shortcode attribute handling functionality, where multiple parameters were not properly validated, escaped, or sanitized (WPScan Advisory, NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, identified as CWE-79. It received a CVSS v3.1 base score of 5.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability exists in multiple shortcode attributes including w, h, controls, cclang, color, language, start, stop, style parameters of youtube shortcode, and style, class, rel, target, width, height, alt parameters of youtubethumb shortcode. Additionally, if an API key is configured, XSS payloads can be executed through video titles or descriptions (WPScan Advisory).

The vulnerability allows attackers with contributor-level access or higher to store and execute malicious JavaScript code on the affected WordPress sites. When triggered, this could lead to unauthorized actions being performed in the context of other users viewing the affected pages, potentially compromising sensitive information or manipulating site content (NVD).

The vulnerability has been patched in version 5.2.2 of the YouTube Embed WordPress plugin. Site administrators are advised to update to this version or later to mitigate the security risk (WPScan Advisory).