The vulnerability arises from a missing authorization check in the WordPress "Import YouTube videos as WP Posts" plugin. Because the plugin does not properly verify user permissions before allowing the import operation, an attacker can create new WordPress posts from YouTube videos even if they lack the necessary editor or administrator privileges. This flaw could be used to inject arbitrary content, conduct phishing or malware campaigns, or otherwise compromise the site’s integrity. The weakness is characterized by CWE-862, which denotes missing authorization.

The flaw is present in all releases of the Import YouTube videos as WP Posts plugin up to and including version 2.1. The affected product is provided by the vendor "enguerranws". Any WordPress installation that has an affected version of this plugin installed is vulnerable.

The CVSS score of 7.5 indicates a high severity. The EPSS score of less than 1% means that the overall probability of exploitation in the wild is currently very low, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the potential impact is significant because the flaw can be exploited by authenticated users without the required access level. The likely attack vector is an attacker authenticating to the site and sending a request to the plugin’s import endpoint, which is presumed to be reachable via normal WordPress admin URLs. Because the description does not detail additional prerequisites, this inference is based on the nature of the plugin’s functionality and typical WordPress access patterns.