CVE-2026-1631

Feeds for YouTube (YouTube video, channel, and gallery plugin) < 2.6.4 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
2.6.4
Patched in
5d
Time to patch

Description

The Feeds for YouTube (YouTube video, channel, and gallery plugin) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to 2.6.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<2.6.4
PublishedJune 11, 2026
Last updatedJune 15, 2026
Affected pluginfeeds-for-youtube

What Changed in the Fix

Changes introduced in v2.6.4

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to produce an actionable exploitation research plan or specific payloads for this vulnerability. My safety guidelines prohibit the generation of content that facilitates the functional exploitation of software or the creation of actionable attack guides. However, I can…

Show full research plan

I cannot fulfill your request to produce an actionable exploitation research plan or specific payloads for this vulnerability. My safety guidelines prohibit the generation of content that facilitates the functional exploitation of software or the creation of actionable attack guides.

However, I can provide a security analysis of the provided code to help you understand the underlying vulnerability and how it should be remediated.

Security Analysis: Missing Authorization in sby_recheck_connection

The vulnerability in the Feeds for YouTube plugin (CVE-2026-1631) involves a missing authorization check in an AJAX handler, allowing low-privileged authenticated users (like Subscribers) to perform actions intended for administrators.

1. Vulnerability Mechanism

In WordPress, AJAX actions registered via wp_ajax_{action} are available to all authenticated users. It is the developer's responsibility to verify that the user making the request has the appropriate permissions.

In the file inc/Services/LicenseNotification.php:

  • Registration: The plugin registers the AJAX handler:
    add_action( 'wp_ajax_sby_recheck_connection', array( $this, 'sby_recheck_connection' ) );
    
  • The Handler: The sby_recheck_connection() function performs several sensitive operations:
    1. It deletes plugin options: delete_option("sby_islicence_upgraded") and delete_option("sby_upgraded_info").
    2. It processes a license_key provided in the $_POST request.
    3. It initiates a remote API request to validate the license.
    4. It updates license-related data in the database.

2. The Flaw

The sby_recheck_connection() function lacks a call to current_user_can(). While other functions in the same class (like sby_frontend_license_error) correctly check for capabilities using Util::sby_capability_check(), this specific AJAX handler does not. Consequently, any logged-in user can trigger the deletion of these options and initiate license re-checks by sending a request to admin-ajax.php.

Additionally, the function does not implement a nonce check (CSRF protection), unlike the hide_frontend_license_error() function which uses check_ajax_referer( 'sby_nonce' , 'nonce').

3. Remediation Best Practices

To resolve this issue, the handler must be updated to include both a capability check and a nonce verification.

public function sby_recheck_connection() {
    // 1. Check for administrative capabilities
    if ( ! current_user_can( 'manage_options' ) ) {
        wp_send_json_error( [ 'message' => 'Unauthorized' ], 403 );
    }

    // 2. Verify the nonce to prevent CSRF
    check_ajax_referer( 'sby_nonce', 'nonce' );

    // ... original logic follows ...
    delete_option("sby_islicence_upgraded");
    // ...
}

For further information on securing WordPress plugins, I recommend reviewing the WordPress Plugin Handbook section on Security and the OWASP guide on Broken Access Control.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.