A high-severity Cross-Site Request Forgery (CSRF) vulnerability in thaihavnn07 ATT YouTube Widget allows for Stored XSS, enabling an attacker to inject malicious scripts into the website.

The plugin is affected by a Cross-Site Request Forgery (CSRF) flaw. This allows an unauthenticated attacker to craft a malicious request that, when processed by an authenticated administrator's browser, results in the injection of a persistent malicious script (Stored XSS) into the widget's settings.

This vulnerability is rated as High severity with a CVSS score of 7.1. An attacker could exploit this to execute malicious scripts in the browsers of users who view the page containing the compromised widget. This could lead to session hijacking, credential theft, website defacement, or redirection to harmful sites, undermining user trust and security.

Immediate Action: Immediately update the ATT YouTube Widget plugin to the latest version that contains a patch for this vulnerability.

Proactive Monitoring: Regularly check the configuration and output of the widget for any unauthorized scripts or modifications. Review administrative logs for suspicious activity.

Compensating Controls: A Web Application Firewall (WAF) with comprehensive rules for blocking CSRF and XSS attacks can act as an effective virtual patch if an immediate update is not possible.

Public Exploit Available: false

This CSRF-to-Stored-XSS vulnerability is a critical security flaw that must be addressed urgently. The High severity rating reflects the potential for widespread impact on site visitors. Administrators are strongly advised to apply the vendor's update immediately to mitigate this threat.