WP-Safety

Feeds for YouTube (YouTube video, channel, and gallery plugin) Security & Risk Analysis

wordpress.org/plugins/feeds-for-youtube

The Feeds for YouTube plugin allows you to display customizable YouTube feeds from any YouTube channel.

100K active installs v2.6.3 PHP 7.4+ WP 4.1+ Updated Mar 12, 2026
youtubeyoutube-channelyoutube-feedyoutube-galleryyoutube-widget
95
A · Safe
CVEs total4
Unpatched0
Last CVENov 6, 2025
Plugin page Download
Safety Verdict

Is Feeds for YouTube (YouTube video, channel, and gallery plugin) Safe to Use in 2026?

Generally Safe

Score 95/100

Feeds for YouTube (YouTube video, channel, and gallery plugin) has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Nov 6, 2025Updated 21d ago
Risk Assessment

The "feeds-for-youtube" v2.6.3 plugin exhibits a mixed security posture. On the positive side, it demonstrates a commitment to secure coding by avoiding dangerous functions, having no reported critical or high severity CVEs, and utilizing prepared statements for a significant portion of its SQL queries. The presence of a substantial number of nonce and capability checks also suggests an awareness of WordPress security best practices. However, there are significant concerns. The plugin exposes a large attack surface with 61 AJAX handlers, and a concerning 17 of these lack any authentication checks. While no critical or high severity taint flows were found, 5 out of 17 analyzed flows had unsanitized paths, which could lead to vulnerabilities if exploited. The vulnerability history indicates a pattern of medium severity issues, primarily related to Missing Authorization and Cross-site Scripting. The fact that the last known vulnerability was recent (2025-11-06) and there are currently no unpatched CVEs is a good sign, but the recurring nature of these vulnerability types warrants attention.

Key Concerns

  • Significant number of AJAX handlers without auth checks
  • Flows with unsanitized paths detected
  • History of medium severity CVEs (Missing Auth, XSS)
  • Less than ideal output escaping percentage
  • Potentially vulnerable SQL queries (50% not prepared)
Vulnerabilities
4

Feeds for YouTube (YouTube video, channel, and gallery plugin) Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
1 CVE in 2023
2023
1 CVE in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
4

4 total CVEs

CVE-2025-64635medium · 5.3Missing Authorization

Feeds for YouTube <= 2.4.0 - Missing Authorization

Nov 6, 2025 Patched in 2.6.1 (45d)
CVE-2024-6256medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Feeds for YouTube (YouTube video, channel, and gallery plugin) <= 2.2.1 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

Jul 10, 2024 Patched in 2.2.2 (1d)
CVE-2023-4841medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Feeds for YouTube <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Sep 13, 2023 Patched in 2.1.2 (408d)
WF-0efff314-b14f-4af4-b225-ba7e41d01b2e-feeds-for-youtubemedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Smash Balloon Plugins (Various Versions) - Reflected Cross-Site Scripting

Jul 20, 2021 Patched in 1.4.2 (917d)
Code Analysis
Analyzed Mar 16, 2026

Feeds for YouTube (YouTube video, channel, and gallery plugin) Code Analysis

Dangerous Functions
0
Raw SQL Queries
72
73 prepared
Unescaped Output
290
448 escaped
Nonce Checks
46
Capability Checks
44
File Operations
9
External Requests
25
Bundled Libraries
0

SQL Query Safety

50% prepared145 total queries

Output Escaping

61% escaped738 total outputs
Data Flows
5 unsanitized

Data Flow Analysis

17 flows5 with unsanitized paths
retrieve_available_business_accounts (inc\Builder\SBY_Source.php:344)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
17 unprotected

Feeds for YouTube (YouTube video, channel, and gallery plugin) Attack Surface

Entry Points62
Unprotected17

AJAX Handlers 61

authwp_ajax_sby_dismiss_upgrade_noticeinc\Admin\SBY_Admin_Notice.php:18
authwp_ajax_sby_review_notice_consent_updateinc\Admin\SBY_New_User.php:34
authwp_ajax_sby_dashboard_notification_dismissinc\Admin\SBY_Notifications.php:89
noprivwp_ajax_sby_run_one_click_upgradeinc\Admin\SBY_Upgrader.php:43
authwp_ajax_sby_maybe_upgrade_redirectinc\Admin\SBY_Upgrader.php:44
authwp_ajax_sbi_dismiss_onboardinginc\Builder\SBY_Feed_Builder.php:65
authwp_ajax_sby_feed_saver_manager_builder_updateinc\Builder\SBY_Feed_Saver_Manager.php:27
authwp_ajax_sby_feed_saver_manager_get_feed_list_pageinc\Builder\SBY_Feed_Saver_Manager.php:28
authwp_ajax_sby_feed_saver_manager_fly_previewinc\Builder\SBY_Feed_Saver_Manager.php:29
authwp_ajax_sby_feed_handle_saver_manager_fly_previewinc\Builder\SBY_Feed_Saver_Manager.php:30
authwp_ajax_sby_feed_saver_manager_clear_single_feed_cacheinc\Builder\SBY_Feed_Saver_Manager.php:31
authwp_ajax_sby_feed_saver_manager_duplicate_feedinc\Builder\SBY_Feed_Saver_Manager.php:32
authwp_ajax_sby_feed_saver_manager_delete_feedsinc\Builder\SBY_Feed_Saver_Manager.php:33
authwp_ajax_sby_dismiss_onboardinginc\Builder\SBY_Feed_Saver_Manager.php:34
authwp_ajax_sby_feed_refreshinc\Builder\SBY_Feed_Saver_Manager.php:35
authwp_ajax_sby_feed_saver_clear_comments_cacheinc\Builder\SBY_Feed_Saver_Manager.php:36
authwp_ajax_sbi_source_builder_updateinc\Builder\SBY_Source.php:25
authwp_ajax_sbi_source_builder_update_multipleinc\Builder\SBY_Source.php:26
authwp_ajax_sbi_source_get_pageinc\Builder\SBY_Source.php:27
authwp_ajax_sbi_source_get_featured_post_previewinc\Builder\SBY_Source.php:28
authwp_ajax_sbi_source_get_playlist_post_previewinc\Builder\SBY_Source.php:29
authwp_ajax_sby_clear_cacheinc\Services\Admin\CacheService.php:11
authwp_ajax_sby_dismiss_api_key_noticeinc\Services\Admin\GUIService.php:10
authwp_ajax_sby_dismiss_at_warning_noticeinc\Services\Admin\GUIService.php:11
authwp_ajax_sby_dismiss_connect_warning_buttoninc\Services\Admin\GUIService.php:12
authwp_ajax_sby_do_feed_importinc\Services\Admin\ImporterService.php:20
authwp_ajax_sby_check_connectioninc\Services\Admin\LicenseService.php:26
authwp_ajax_sby_recheck_license_upgradeinc\Services\Admin\LicenseService.php:27
authwp_ajax_sby_license_activationinc\Services\Admin\LicenseService.php:28
authwp_ajax_sby_license_deactivationinc\Services\Admin\LicenseService.php:29
authwp_ajax_sby_check_licenseinc\Services\Admin\LicenseService.php:30
authwp_ajax_sby_dismiss_license_noticeinc\Services\Admin\LicenseService.php:31
authwp_ajax_sby_ca_after_remove_clickedinc\Services\Admin\MiscService.php:12
authwp_ajax_sby_process_access_tokeninc\Services\Admin\MiscService.php:13
authwp_ajax_sby_delete_wp_postsinc\Services\Admin\MiscService.php:14
authwp_ajax_sbspf_account_searchinc\Services\Admin\MiscService.php:15
authwp_ajax_sby_do_import_batchinc\Services\Admin\MiscService.php:17
authwp_ajax_sby_install_addoninc\Services\Admin\Settings\AboutPage.php:21
authwp_ajax_sby_activate_addoninc\Services\Admin\Settings\AboutPage.php:22
authwp_ajax_sby_update_settingsinc\Services\Admin\Settings\SettingsPage.php:41
authwp_ajax_sby_process_wizardinc\Services\Admin\Settings\SetupPage.php:36
authwp_ajax_sby_dismiss_wizardinc\Services\Admin\Settings\SetupPage.php:37
authwp_ajax_sby_get_single_videosinc\Services\Admin\Settings\SingleVideoPage.php:41
authwp_ajax_sby_all_videos_actioninc\Services\Admin\Settings\SingleVideoPage.php:42
authwp_ajax_remove_connected_accountinc\Services\Admin\SourcesService.php:41
authwp_ajax_verify_api_keyinc\Services\Admin\SourcesService.php:42
authwp_ajax_sby_load_more_clickedinc\Services\AdminAjaxService.php:22
noprivwp_ajax_sby_load_more_clickedinc\Services\AdminAjaxService.php:23
authwp_ajax_sby_live_retrieveinc\Services\AdminAjaxService.php:24
noprivwp_ajax_sby_live_retrieveinc\Services\AdminAjaxService.php:25
authwp_ajax_sby_check_wp_submitinc\Services\AdminAjaxService.php:26
noprivwp_ajax_sby_check_wp_submitinc\Services\AdminAjaxService.php:27
authwp_ajax_sby_add_api_keyinc\Services\AdminAjaxService.php:28
authwp_ajax_sby_other_plugins_modalinc\Services\AdminAjaxService.php:29
authwp_ajax_sby_single_videos_upsell_modalinc\Services\AdminAjaxService.php:30
authwp_ajax_sby_install_other_pluginsinc\Services\AdminAjaxService.php:31
authwp_ajax_sby_activate_other_pluginsinc\Services\AdminAjaxService.php:32
authwp_ajax_sby_manual_access_tokeninc\Services\AdminAjaxService.php:33
authwp_ajax_sb_youtubefeed_divi_previewinc\Services\Integrations\Divi\SBY_Divi_Handler.php:67
authwp_ajax_sby_hide_frontend_license_errorinc\Services\LicenseNotification.php:22
authwp_ajax_sby_recheck_connectioninc\Services\LicenseNotification.php:23

Shortcodes 1

[youtube-feed] inc\Services\ShortcodeService.php:18
WordPress Hooks 85
actionactivated_pluginactivation.php:36
actionadmin_initinc\Admin\SBY_Admin_Abstract.php:87
actionadmin_initinc\Admin\SBY_Admin_Abstract.php:88
actionsby_admin_header_noticesinc\Admin\SBY_Admin_Notice.php:17
actionadmin_noticesinc\Admin\SBY_New_User.php:31
actionadmin_initinc\Admin\SBY_New_User.php:33
actionadmin_enqueue_scriptsinc\Admin\SBY_Notifications.php:82
actionsby_admin_noticesinc\Admin\SBY_Notifications.php:84
actionsby_notification_updateinc\Admin\SBY_Notifications.php:87
actioninitinc\Admin\SBY_Tracking.php:28
filtercron_schedulesinc\Admin\SBY_Tracking.php:29
filtersb_usage_tracking_datainc\Admin\SBY_Tracking.php:30
actionsby_usage_tracking_croninc\Admin\SBY_Tracking.php:31
actioninitinc\Blocks\SBY_Blocks.php:57
actionenqueue_block_editor_assetsinc\Blocks\SBY_Blocks.php:58
actionadmin_menuinc\Builder\SBY_Feed_Builder.php:50
actionadmin_initinc\Builder\SBY_Source.php:30
actionadmin_enqueue_scriptsinc\Builder\Tooltip_Wizard.php:29
actionadmin_footerinc\Builder\Tooltip_Wizard.php:30
actionadmin_enqueue_scriptsinc\Customizer\Customizer_Compatibility.php:11
actionsby_settings_after_configure_saveinc\sby-functions.php:81
actionsby_after_feedinc\sby-functions.php:417
actionsby_after_feedinc\sby-functions.php:491
actionsb_customizer_feeds_tableinc\sby-functions.php:903
actionsby_cron_jobinc\sby-functions.php:1026
actionsby_after_insert_video_postinc\sby-functions.php:1079
actionsby_after_update_video_postinc\sby-functions.php:1080
actionwidgets_initinc\SbyWidget.php:63
filterwidget_textinc\SbyWidget.php:66
actionactivated_plugininc\Services\ActivationService.php:10
actionadmin_enqueue_scriptsinc\Services\Admin\AssetsService.php:12
actionadmin_enqueue_scriptsinc\Services\Admin\AssetsService.php:13
actionadmin_enqueue_scriptsinc\Services\Admin\AssetsService.php:14
actionadmin_footerinc\Services\Admin\GUIService.php:13
actionadmin_initinc\Services\Admin\GUIService.php:14
actionadmin_print_scriptsinc\Services\Admin\GUIService.php:15
actionsby_admin_noticesinc\Services\Admin\LicenseService.php:21
actionsby_admin_header_noticesinc\Services\Admin\LicenseService.php:22
filtersby_localized_settingsinc\Services\Admin\LicenseService.php:25
actionadmin_menuinc\Services\Admin\MenuService.php:29
actionadmin_initinc\Services\Admin\MiscService.php:16
actionsby_settings_after_configure_saveinc\Services\Admin\MiscService.php:18
filtersby_localized_settingsinc\Services\Admin\Settings\AboutPage.php:20
actionadmin_menuinc\Services\Admin\Settings\BaseSettingPage.php:28
actionadmin_enqueue_scriptsinc\Services\Admin\Settings\BaseSettingPage.php:33
filtersby_localized_settingsinc\Services\Admin\Settings\HelpPage.php:33
filtersby_localized_settingsinc\Services\Admin\Settings\SettingsPage.php:42
filtersby_localized_settingsinc\Services\Admin\Settings\SetupPage.php:38
actionpre_get_postsinc\Services\Admin\Settings\SingleVideoPage.php:43
actionsby_localized_settingsinc\Services\Admin\Settings\SingleVideoPage.php:44
actionwp_footerinc\Services\AssetsService.php:11
actionwp_headinc\Services\AssetsService.php:12
actionsby_enqueue_scriptsinc\Services\AssetsService.php:13
actionwp_enqueue_scriptsinc\Services\AssetsService.php:14
filtersb_customizer_sources_tableinc\Services\ConfigService.php:9
actioninitinc\Services\CronUpdaterService.php:14
actionsby_feed_updateinc\Services\CronUpdaterService.php:15
actionsby_before_feed_endinc\Services\DebugReportingService.php:11
actionsby_before_feed_endinc\Services\ErrorReportingService.php:10
filtersb_analytics_filter_top_postsinc\Services\Integrations\Analytics\SB_Analytics.php:73
filtersb_analytics_filter_profile_detailsinc\Services\Integrations\Analytics\SB_Analytics.php:81
filtersb_analytics_filter_feed_listinc\Services\Integrations\Analytics\SB_Analytics.php:89
actionet_builder_readyinc\Services\Integrations\Divi\SBY_Divi_Handler.php:64
actionwp_enqueue_scriptsinc\Services\Integrations\Divi\SBY_Divi_Handler.php:71
actionelementor/frontend/after_register_scriptsinc\Services\Integrations\Elementor\SBY_Elementor_Base.php:28
actionelementor/frontend/after_register_stylesinc\Services\Integrations\Elementor\SBY_Elementor_Base.php:29
actionelementor/frontend/after_enqueue_stylesinc\Services\Integrations\Elementor\SBY_Elementor_Base.php:30
actionelementor/controls/registerinc\Services\Integrations\Elementor\SBY_Elementor_Base.php:31
actionelementor/widgets/registerinc\Services\Integrations\Elementor\SBY_Elementor_Base.php:32
actionelementor/elements/categories_registeredinc\Services\Integrations\Elementor\SBY_Elementor_Base.php:33
actionwp_footerinc\Services\LicenseNotification.php:21
filtersby_render_shortcodeinc\Services\ShortcodeService.php:19
filterdo_shortcode_taginc\Services\ShortcodeService.php:20
actioninityoutube-feed.php:239
actioninityoutube-feed.php:242
actioninityoutube-feed.php:245
actioninityoutube-feed.php:248
actioninityoutube-feed.php:253
actionplugins_loadedyoutube-feed.php:259
filtercron_schedulesyoutube-feed.php:286
actionadmin_inityoutube-feed.php:411
actionwp_loadedyoutube-feed.php:457
actionwpmu_new_blogyoutube-feed.php:478
filterwpmu_drop_tablesyoutube-feed.php:503
actioninityoutube-feed.php:658

Scheduled Events 8

sby_usage_tracking_cron
sby_feed_update
sby_feed_update
sby_feed_update
sby_feed_update
sby_cron_job
sby_notification_update
sby_notification_update
Maintenance & Trust

Feeds for YouTube (YouTube video, channel, and gallery plugin) Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 12, 2026
PHP min version7.4
Downloads1.9M

Community Trust

Rating98/100
Number of ratings192
Active installs100K
Alternatives

Feeds for YouTube (YouTube video, channel, and gallery plugin) Alternatives

GS YouTube Gallery – Video Feed, Channel Playlist & YouTube Slider

GS YouTube Gallery – Video Feed, Channel Playlist & YouTube Slider

gs-youtube-gallery

A
100

Create a Stunning & Responsive Video Gallery for Channel or Playlist Videos.

80 No CVEs
Aklamator – Youtube Your Blog

Aklamator – Youtube Your Blog

aklamator-youtube-your-blog

A
85

Show videos from youtube channel on your blog easily. Just paste one YouTube link and we will show widget with all your channel videos.

10 No CVEs
Embed Plus for YouTube Gallery, Livestream and Lazy Loading with Facades

Embed Plus for YouTube Gallery, Livestream and Lazy Loading with Facades

youtube-embed-plus

A
100

A multi-featured plugin to embed YouTube in WordPress. Embed a video, YouTube channel gallery, playlist, or YouTube livestream. Defer JavaScript too!

100K 1 CVE
Video Gallery – YouTube Playlist, Channel Gallery by YotuWP

Video Gallery – YouTube Playlist, Channel Gallery by YotuWP

yotuwp-easy-youtube-embed

A
86

Modern responsive YouTube video gallery helps your website getting noticed from visitors, increase the reach and stand out from the competitors.

20K 5 CVEs
Automatic YouTube Gallery

Automatic YouTube Gallery

automatic-youtube-gallery

A
100

Build dynamic video galleries by simply adding a YouTube USERNAME, CHANNEL, PLAYLIST, SEARCH KEYWORDS, or a custom list of video URLs.

9K 1 CVE
Developer Profile

Feeds for YouTube (YouTube video, channel, and gallery plugin) Developer Profile

Syed Balkhi

94 plugins · 23.5M total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
795 days
View full developer profile
Detection Fingerprints

How We Detect Feeds for YouTube (YouTube video, channel, and gallery plugin)

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/feeds-for-youtube/admin/builder/css/layout.css/wp-content/plugins/feeds-for-youtube/admin/builder/css/style.css/wp-content/plugins/feeds-for-youtube/admin/css/sb-admin.css/wp-content/plugins/feeds-for-youtube/css/feed.css/wp-content/plugins/feeds-for-youtube/js/feed.js
Script Paths
/wp-content/plugins/feeds-for-youtube/js/feed.js
Version Parameters
feeds-for-youtube/css/feed.css?ver=feeds-for-youtube/js/feed.js?ver=feeds-for-youtube/admin/css/sb-admin.css?ver=feeds-for-youtube/admin/builder/css/layout.css?ver=feeds-for-youtube/admin/builder/css/style.css?ver=

HTML / DOM Fingerprints

CSS Classes
sby_youtube_feedsby_feed_containersby_video_titlesby_channel_name
HTML Comments
<!-- Feeds for YouTube by Smash Balloon --><!-- Smash Balloon Customizer --><!-- /Smash Balloon Customizer -->
Data Attributes
data-sby-instance
JS Globals
sby
REST Endpoints
/wp-json/sby/v1/feed
Shortcode Output
[youtube-feed[youtube-feed feed=1]
FAQ

Frequently Asked Questions about Feeds for YouTube (YouTube video, channel, and gallery plugin)