CVE-2024-5475: 
WordPress vulnerability analysis and mitigation

The Responsive video embed WordPress plugin before version 0.5.1 contains a stored Cross-Site Scripting (XSS) vulnerability. The plugin fails to properly validate and escape shortcode attributes before outputting them back in pages/posts where the shortcode is embedded (WPScan, NVD).

The vulnerability stems from insufficient input validation and output escaping of shortcode attributes in the plugin. When the shortcode is embedded in a page or post, the unescaped attributes are output directly, allowing for script injection. The vulnerability has been assigned a CVSS v3.1 score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N (NVD).

This vulnerability allows authenticated users with contributor-level access or higher to inject arbitrary web scripts into pages. When other users view the affected pages, the malicious scripts will execute in their browsers, potentially leading to session hijacking, credential theft, or other client-side attacks (WPScan).

The vulnerability has been fixed in version 0.5.1 of the Responsive video embed plugin. Site administrators should update to this version or later immediately to protect against potential attacks (WPScan).