Description
The WP Youtube Video Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce verification on the wpYTVideoGallerySettingSave() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-01-24
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-site Request Forgery enabling unauthorized modification of plugin settings
Action: Patch
AI Analysis

Impact

The WP Youtube Video Gallery plugin lacks nonce verification in the wpYTVideoGallerySettingSave() function, allowing a Cross-site Request Forgery attack. An unauthenticated attacker can craft a forged request that, if a site administrator clicks a link or interacts with a malicious page, changes the plugin's settings. The CWE-352 weakness permits the attacker to alter configuration, which could alter site behavior or facilitate further attacks.

Affected Systems

The vulnerability affects the waqasvickey0071 WP Youtube Video Gallery plugin for WordPress, version 1.0 and all earlier releases.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% suggests low likelihood of exploitation. The attack vector is a web-based CSRF request that requires an administrator to act on a forged link; no authentication or privilege escalation is needed. It is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 21, 2026 at 16:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Youtube Video Gallery plugin to the latest version or remove it if no newer release is available.
  • Educate administrators to avoid clicking suspicious links that could trigger a CSRF request.
  • Implement a web application firewall rule or rewrite to reject any request that updates plugin settings without a valid WordPress nonce.

Generated by OpenCVE AI on April 21, 2026 at 16:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Waqasvickey0071
Waqasvickey0071 wp Youtube Video Gallery
Wordpress
Wordpress wordpress
Vendors & Products Waqasvickey0071
Waqasvickey0071 wp Youtube Video Gallery
Wordpress
Wordpress wordpress

Sat, 24 Jan 2026 07:45:00 +0000

Type Values Removed Values Added
Description The WP Youtube Video Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce verification on the wpYTVideoGallerySettingSave() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title WP Youtube Video Gallery <= 1.0 - Cross-Site Request Forgery to Plugin Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Waqasvickey0071 Wp Youtube Video Gallery
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:53:04.408Z

Reserved: 2025-12-18T18:08:36.266Z

Link: CVE-2025-14906

cve-icon Vulnrichment

Updated: 2026-01-26T15:29:34.019Z

cve-icon NVD

Status : Deferred

Published: 2026-01-24T08:16:06.420

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14906

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T16:15:40Z

Weaknesses