CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4756 – YouTube Channel < 3.23.0 - Contributor+ Stored XSS via Shortcode
https://notcve.org/view.php?id=CVE-2022-4756
11 Jan 2023 — The My YouTube Channel WordPress plugin before 3.23.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. The YouTube Channel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in versions up to, and including, 3.0.12.1 due to insufficient input sa... • https://wpscan.com/vulnerability/d67b0f7a-fdb1-4305-9976-c5f77b0e3b61 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0447 – My YouTube Channel <= 3.0.12.1 - Missing Authorization
https://notcve.org/view.php?id=CVE-2023-0447
04 Jan 2023 — The My YouTube Channel plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the clear_all_cache function in versions up to, and including, 3.0.12.1. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to clear the plugin's cache. El complemento My Youtube Channel para WordPress es vulnerable a la omisión de autorización debido a una falta de verificación de capacidad en la función clear_all_cache en versiones hasta la 3.... • https://plugins.trac.wordpress.org/browser/youtube-channel/trunk/youtube-channel.php?rev=2482795#L1502 • CWE-862: Missing Authorization •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0446 – My YouTube Channel <= 3.0.12.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-0446
04 Jan 2023 — The My YouTube Channel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its settings parameters in versions up to, and including, 3.0.12.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento My youtube Channel para WordPress es vulnerable a cross-site scripting alma... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2844200%40youtube-channel&new=2844200%40youtube-channel&sfp_email=&sfph_mail= • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •