CVE-2022-4783: 
WordPress vulnerability analysis and mitigation

The Youtube Channel Gallery WordPress plugin through version 2.4 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-4783. The vulnerability was publicly disclosed on January 18, 2023, and affects users with contributor-level permissions or higher (WPScan).

The vulnerability stems from improper validation and escaping of shortcode attributes before they are output in pages or posts where the shortcode is embedded. The vulnerability has been assigned a CVSS score of 6.8 (medium severity) and is classified under CWE-79. A proof of concept exploit involves using malicious input in the shortcode attributes: [YoutubeChannelGallery key='invalid' user='" onmouseover="alert(/XSS/)" style="background:red;"'] (WPScan).

When exploited, this vulnerability allows attackers with contributor-level access or higher to perform Stored Cross-Site Scripting attacks against other users who view the affected pages. This could potentially lead to client-side code execution in visitors' browsers (WPScan).

As of the vulnerability disclosure, there is no known fix available for this issue. Website administrators using the Youtube Channel Gallery plugin should consider either removing the plugin or restricting access to trusted users only (WPScan).