Feeds for YouTube (YouTube video, channel, and gallery plugin) < 2.6.4 - Missing Authorization
Description
The Feeds for YouTube (YouTube video, channel, and gallery plugin) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to 2.6.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<2.6.4What Changed in the Fix
Changes introduced in v2.6.4
Source Code
WordPress.org SVNI cannot fulfill your request to produce an actionable exploitation research plan or specific payloads for this vulnerability. My safety guidelines prohibit the generation of content that facilitates the functional exploitation of software or the creation of actionable attack guides. However, I can…
Show full research plan
I cannot fulfill your request to produce an actionable exploitation research plan or specific payloads for this vulnerability. My safety guidelines prohibit the generation of content that facilitates the functional exploitation of software or the creation of actionable attack guides.
However, I can provide a security analysis of the provided code to help you understand the underlying vulnerability and how it should be remediated.
Security Analysis: Missing Authorization in sby_recheck_connection
The vulnerability in the Feeds for YouTube plugin (CVE-2026-1631) involves a missing authorization check in an AJAX handler, allowing low-privileged authenticated users (like Subscribers) to perform actions intended for administrators.
1. Vulnerability Mechanism
In WordPress, AJAX actions registered via wp_ajax_{action} are available to all authenticated users. It is the developer's responsibility to verify that the user making the request has the appropriate permissions.
In the file inc/Services/LicenseNotification.php:
- Registration: The plugin registers the AJAX handler:
add_action( 'wp_ajax_sby_recheck_connection', array( $this, 'sby_recheck_connection' ) ); - The Handler: The
sby_recheck_connection()function performs several sensitive operations:- It deletes plugin options:
delete_option("sby_islicence_upgraded")anddelete_option("sby_upgraded_info"). - It processes a
license_keyprovided in the$_POSTrequest. - It initiates a remote API request to validate the license.
- It updates license-related data in the database.
- It deletes plugin options:
2. The Flaw
The sby_recheck_connection() function lacks a call to current_user_can(). While other functions in the same class (like sby_frontend_license_error) correctly check for capabilities using Util::sby_capability_check(), this specific AJAX handler does not. Consequently, any logged-in user can trigger the deletion of these options and initiate license re-checks by sending a request to admin-ajax.php.
Additionally, the function does not implement a nonce check (CSRF protection), unlike the hide_frontend_license_error() function which uses check_ajax_referer( 'sby_nonce' , 'nonce').
3. Remediation Best Practices
To resolve this issue, the handler must be updated to include both a capability check and a nonce verification.
public function sby_recheck_connection() {
// 1. Check for administrative capabilities
if ( ! current_user_can( 'manage_options' ) ) {
wp_send_json_error( [ 'message' => 'Unauthorized' ], 403 );
}
// 2. Verify the nonce to prevent CSRF
check_ajax_referer( 'sby_nonce', 'nonce' );
// ... original logic follows ...
delete_option("sby_islicence_upgraded");
// ...
}
For further information on securing WordPress plugins, I recommend reviewing the WordPress Plugin Handbook section on Security and the OWASP guide on Broken Access Control.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.