Description
Cross-Site Request Forgery (CSRF) vulnerability in macbookandrew WP YouTube Live wp-youtube-live allows Cross Site Request Forgery.This issue affects WP YouTube Live: from n/a through <= 1.10.0.
Published: 2025-06-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP YouTube Live plugin for WordPress contains a Cross‑Site Request Forgery flaw (CWE‑352). This weakness allows an attacker to trick an authenticated user into sending a request that triggers privileged actions within the plugin. The attacker can potentially upload a video, alter playback settings, or otherwise modify content that the affected user is permitted to edit. The impact equals the privileges of the victim user, which could lead to unauthorized content changes or other side effects within the WordPress site.

Affected Systems

WordPress installations that run macbookandrew's WP YouTube Live plugin version 1.10.0 or earlier are affected. The vulnerability persists across all releases up to and including 1.10.0 and applies to both public and private deployments of the plugin.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate risk, while the EPSS score of less than 1% suggests that exploitation is unlikely at present. The issue is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could host a malicious web page that loads a forged request targeting the plugin’s internal endpoints while the victim is authenticated, thereby leveraging the missing CSRF protection.

Generated by OpenCVE AI on April 30, 2026 at 17:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of WP YouTube Live that is newer than 1.10.0, which removes the CSRF vulnerability.
  • If an upgrade cannot be performed immediately, limit the plugin’s administrative capabilities to users with minimal privileges and add CSRF tokens on all forms that perform privileged actions.
  • If that is not feasible, disable or delete the WP YouTube Live plugin from the site until a patched version is available.

Generated by OpenCVE AI on April 30, 2026 at 17:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19340 Cross-Site Request Forgery (CSRF) vulnerability in macbookandrew WP YouTube Live allows Cross Site Request Forgery. This issue affects WP YouTube Live: from n/a through 1.10.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in macbookandrew WP YouTube Live allows Cross Site Request Forgery. This issue affects WP YouTube Live: from n/a through 1.10.0. Cross-Site Request Forgery (CSRF) vulnerability in macbookandrew WP YouTube Live wp-youtube-live allows Cross Site Request Forgery.This issue affects WP YouTube Live: from n/a through <= 1.10.0.
Title WordPress WP YouTube Live plugin <= 1.10.0 - Cross Site Request Forgery (CSRF) Vulnerability WordPress WP YouTube Live plugin <= 1.10.0 - Cross Site Request Forgery (CSRF) vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Fri, 27 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Jun 2025 13:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in macbookandrew WP YouTube Live allows Cross Site Request Forgery. This issue affects WP YouTube Live: from n/a through 1.10.0.
Title WordPress WP YouTube Live plugin <= 1.10.0 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:22.083Z

Reserved: 2025-06-27T11:58:24.741Z

Link: CVE-2025-53261

cve-icon Vulnrichment

Updated: 2025-06-27T13:55:49.845Z

cve-icon NVD

Status : Deferred

Published: 2025-06-27T14:15:45.850

Modified: 2026-04-23T15:32:22.793

Link: CVE-2025-53261

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T17:15:42Z

Weaknesses