CVE-2023-49180: 
WordPress vulnerability analysis and mitigation

The Automatic Youtube Video Posts Plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2023-49180. The vulnerability affects all versions up to and including 5.2.2 of the plugin. This security issue was discovered by researcher yuyudhn and was publicly disclosed on November 29, 2023. The vulnerability specifically impacts the plugin's admin settings functionality (WPScan, Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 base score of 4.8 (MEDIUM) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while Patchstack assigned it a slightly higher score of 5.9 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability stems from insufficient input sanitization and output escaping in the plugin's admin settings (NVD).

The vulnerability allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts into pages. These injected scripts will execute whenever a user accesses the affected page. The impact is particularly significant in multi-site installations and installations where unfiltered_html has been disabled (WPScan).

As of the latest reports, no official fix has been released for this vulnerability. The issue affects versions up to and including 5.2.2 of the Automatic Youtube Video Posts Plugin. Patchstack has classified this as a low-priority issue for virtual patching (Patchstack).