GHSA-7h5p-637f-jfr7

Summary

The user supplied class value is fed directly into the sprintf call that creates HTML. You can add a quote to escape the class and then inject arbitrary html/javascript to the final output.

Details

The template here adds a figure with a class that is substituted in. This value is provided to sprintf here, an unescaped version of the class supplied by the user.

$template = <<<HTML
    <figure class="%s" data-service="%s" %s %s>
        <div class="embedvideo-wrapper" %s>%s%s%s</div>%s
    </figure>
HTML;

PoC

Note the double quote immediately following the single quote to escape the class attribute in the template:

<youtube class='" onmouseover="alert(document.domain)' id="dQw4w9WgXcQ">dQw4w9WgXcQ</youtube>

Impact

Arbitrary HTML can be inserted into the DOM by any user on any page, allowing for JavaScript to be executed.