CVE-2022-4833: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2022-4833) affects the WordPress plugin 'YourChannel: Everything you want in a YouTube plugin' versions before 1.2.3. The vulnerability was discovered and publicly disclosed on January 10, 2023. It involves improper validation and escaping of shortcode attributes that could lead to Stored Cross-Site Scripting (XSS) attacks (WPScan).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue with a CVSS v3.1 Base Score of 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The technical root cause stems from the plugin's failure to properly validate and escape shortcode attributes before outputting them back in the page. A proof of concept exploit has been documented using the shortcode: [yourchannel video='" onmouseover=alert(1) "'] (WPScan, NVD).

The vulnerability allows users with roles as low as contributor to perform Stored Cross-Site Scripting attacks. These attacks could be leveraged against high-privilege users such as administrators, potentially leading to unauthorized actions or data exposure (WPScan).

The vulnerability has been fixed in version 1.2.3 of the YourChannel plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).