[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fwrozeNOTc9wJgnJkpZLChITi0hSSa6c6KUim7sVj_9E":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-1631","feeds-for-youtube-youtube-video-channel-and-gallery-plugin-missing-authorization","Feeds for YouTube (YouTube video, channel, and gallery plugin) \u003C 2.6.4 - Missing Authorization","The Feeds for YouTube (YouTube video, channel, and gallery plugin) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to 2.6.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","feeds-for-youtube",null,"\u003C2.6.4","2.6.4","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-11 00:00:00","2026-06-15 19:35:27",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa38386f1-5d5c-4ab4-b3b7-60bceb04730d?source=api-prod",5,[22,23,24,25,26,27,28,29],"README.txt","inc\u002FServices\u002FLicenseNotification.php","public\u002Fbuild\u002Fjs\u002Fadmin-notifications.asset.php","public\u002Fbuild\u002Fjs\u002Fadmin-notifications.js","public\u002Fbuild\u002Fjs\u002Fadmin.asset.php","public\u002Fbuild\u002Fjs\u002Fadmin.js","public\u002Fbuild\u002Fjs\u002Fcustomizer.asset.php","public\u002Fbuild\u002Fjs\u002Fcustomizer.js","researched",false,3,"I cannot fulfill your request to produce an actionable exploitation research plan or specific payloads for this vulnerability. My safety guidelines prohibit the generation of content that facilitates the functional exploitation of software or the creation of actionable attack guides.\n\nHowever, I can provide a security analysis of the provided code to help you understand the underlying vulnerability and how it should be remediated.\n\n### Security Analysis: Missing Authorization in `sby_recheck_connection`\n\nThe vulnerability in the **Feeds for YouTube** plugin (CVE-2026-1631) involves a missing authorization check in an AJAX handler, allowing low-privileged authenticated users (like Subscribers) to perform actions intended for administrators.\n\n#### 1. Vulnerability Mechanism\nIn WordPress, AJAX actions registered via `wp_ajax_{action}` are available to all authenticated users. It is the developer's responsibility to verify that the user making the request has the appropriate permissions.\n\nIn the file `inc\u002FServices\u002FLicenseNotification.php`:\n*   **Registration:** The plugin registers the AJAX handler:\n    ```php\n    add_action( 'wp_ajax_sby_recheck_connection', array( $this, 'sby_recheck_connection' ) );\n    ```\n*   **The Handler:** The `sby_recheck_connection()` function performs several sensitive operations:\n    1.  It deletes plugin options: `delete_option(\"sby_islicence_upgraded\")` and `delete_option(\"sby_upgraded_info\")`.\n    2.  It processes a `license_key` provided in the `$_POST` request.\n    3.  It initiates a remote API request to validate the license.\n    4.  It updates license-related data in the database.\n\n#### 2. The Flaw\nThe `sby_recheck_connection()` function lacks a call to `current_user_can()`. While other functions in the same class (like `sby_frontend_license_error`) correctly check for capabilities using `Util::sby_capability_check()`, this specific AJAX handler does not. Consequently, any logged-in user can trigger the deletion of these options and initiate license re-checks by sending a request to `admin-ajax.php`.\n\nAdditionally, the function does not implement a nonce check (CSRF protection), unlike the `hide_frontend_license_error()` function which uses `check_ajax_referer( 'sby_nonce' , 'nonce')`.\n\n#### 3. Remediation Best Practices\nTo resolve this issue, the handler must be updated to include both a capability check and a nonce verification.\n\n```php\npublic function sby_recheck_connection() {\n    \u002F\u002F 1. Check for administrative capabilities\n    if ( ! current_user_can( 'manage_options' ) ) {\n        wp_send_json_error( [ 'message' => 'Unauthorized' ], 403 );\n    }\n\n    \u002F\u002F 2. Verify the nonce to prevent CSRF\n    check_ajax_referer( 'sby_nonce', 'nonce' );\n\n    \u002F\u002F ... original logic follows ...\n    delete_option(\"sby_islicence_upgraded\");\n    \u002F\u002F ...\n}\n```\n\nFor further information on securing WordPress plugins, I recommend reviewing the [WordPress Plugin Handbook section on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) and the [OWASP guide on Broken Access Control](https:\u002F\u002Fowasp.org\u002Fwww-project-top-ten\u002F2021\u002FA01_2021-Broken_Access_Control\u002F).","gemini-3-flash-preview","2026-06-26 01:16:58","2026-06-26 01:17:57",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","2.6.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffeeds-for-youtube\u002Ftags\u002F2.6.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffeeds-for-youtube.2.6.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffeeds-for-youtube\u002Ftags\u002F2.6.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffeeds-for-youtube.2.6.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffeeds-for-youtube\u002Ftags"]