Description
The Feeds for YouTube Pro plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 2.6.0 via the 'sby_check_wp_submit' AJAX action. This is due to insufficient sanitization of user-supplied data and the use of that data in a file operation. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information, granted the 'Save Featured Images' setting is enabled and 'Disable WP Posts' is disabled. Note: This vulnerability only affects the Pro version of Feeds for YouTube.
Published: 2026-01-17
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Arbitrary File Read
Action: Upgrade Plugin
AI Analysis

Impact

The Feeds for YouTube Pro plugin contains a path‑traversal flaw that allows an unauthenticated attacker to read any file on the server by invoking the unprotected sby_check_wp_submit AJAX action. Insufficient sanitization of user‑supplied data and its direct use in a file operation enables this read. The weakness is classified as CWE‑22 and the CVSS score of 5.9 indicates moderate severity.

Affected Systems

All installations of the Pro version of Feeds for YouTube—issued by Awesome Motive—running WordPress and version 2.6.0 or earlier are vulnerable. Versions newer than 2.6.0 are presumed patched, while non‑Pro releases are not impacted.

Risk and Exploitability

The vulnerability requires no credentials and can be triggered with a simple HTTP request to the plugin’s AJAX endpoint, making exploitation straightforward. The EPSS score of <1% suggests a low probability of widespread deployment, and the issue is not tracked in the CISA KEV catalog. If the vulnerable settings remain enabled, an attacker could read arbitrary files, potentially exposing configuration data, credentials or other secrets.

Generated by OpenCVE AI on April 21, 2026 at 16:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Feeds for YouTube Pro to a version newer than 2.6.0 once a patch is available to remove the path‑traversal flaw.
  • If an upgrade cannot be performed, disable or uninstall the Feeds for YouTube Pro plugin to eliminate the vulnerable AJAX endpoint.
  • Disable the “Save Featured Images” option and enable the “Disable WP Posts” setting to prevent the file read path from being exercised when the plugin stays installed.
  • Implement file‑system permission hardening on the WordPress installation to limit PHP’s read access to non‑essential files.

Generated by OpenCVE AI on April 21, 2026 at 16:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 17 Jan 2026 02:30:00 +0000

Type Values Removed Values Added
Description The Feeds for YouTube Pro plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 2.6.0 via the 'sby_check_wp_submit' AJAX action. This is due to insufficient sanitization of user-supplied data and the use of that data in a file operation. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information, granted the 'Save Featured Images' setting is enabled and 'Disable WP Posts' is disabled. Note: This vulnerability only affects the Pro version of Feeds for YouTube.
Title Feeds for YouTube Pro <= 2.6.0 - Unauthenticated Arbitrary File Read via Path Traversal
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:30:55.679Z

Reserved: 2025-10-20T22:16:51.229Z

Link: CVE-2025-12002

cve-icon Vulnrichment

Updated: 2026-01-20T18:45:51.874Z

cve-icon NVD

Status : Deferred

Published: 2026-01-17T03:16:02.840

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12002

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T16:30:40Z

Weaknesses