CVE-2023-5063 in Widget Responsive for Youtube Plugin
Summary
by MITRE • 09/20/2023
The Widget Responsive for Youtube plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'youtube' shortcode in versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/10/2026
The vulnerability identified as CVE-2023-5063 affects the Widget Responsive for Youtube WordPress plugin, specifically impacting versions 1.6.1 and earlier. This represents a critical security flaw that allows authenticated attackers with contributor-level permissions or higher to execute stored cross-site scripting attacks. The vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's youtube shortcode implementation, creating a persistent security risk that can compromise user sessions and potentially lead to broader system compromise.
The technical flaw manifests through the plugin's insufficient validation of user-supplied attributes in the youtube shortcode functionality. When administrators or contributors insert YouTube embed codes through the plugin's interface, the system fails to properly sanitize or escape the input parameters before storing them in the WordPress database. This stored data is then retrieved and rendered on pages without adequate output escaping, creating an environment where malicious scripts can be permanently embedded within the website's content. The vulnerability specifically targets the shortcode processing mechanism, which is commonly used to embed YouTube videos within WordPress posts and pages, making it particularly dangerous as it can affect numerous website sections.
The operational impact of this vulnerability extends beyond simple script injection, as it provides attackers with persistent access to compromised websites. Contributors and above have the ability to create or modify content, and with this vulnerability, they can inject malicious JavaScript that executes whenever any user accesses pages containing the compromised content. This creates a potential for session hijacking, data exfiltration, and further exploitation of the compromised WordPress installation. The stored nature of the vulnerability means that once injected, the malicious scripts will continue to execute until manually removed from the database, potentially affecting all website visitors and administrators who access the compromised pages.
Security professionals should consider this vulnerability in the context of the CWE-79 classification for cross-site scripting flaws, specifically addressing the stored XSS variant that allows persistent script execution. The ATT&CK framework categorizes this under T1566.001 for credential access through the exploitation of web application vulnerabilities. Mitigation strategies should include immediate plugin updates to versions that address the sanitization and escaping issues, implementation of web application firewalls that can detect and block malicious script patterns, and regular database audits to identify and remove any injected malicious content. Additionally, administrators should enforce the principle of least privilege by limiting contributor permissions and implementing additional security measures such as two-factor authentication to reduce the attack surface. The vulnerability highlights the importance of proper input validation and output escaping practices in web application development, particularly for plugins that handle user-generated content and external media embedding functionality.