Description
The Youtube Showcase plugin for WordPress is vulnerable to Arbitrary Function Call in versions up to and including 4.0.3. This is due to insufficient validation of the 'path' parameter in the emd_delete_file() AJAX handler in includes/common-functions.php. The user-supplied value is passed through sanitize_text_field(), has its trailing '_PLUGIN_DIR' substring stripped, and is then invoked as a PHP function name with no arguments via `$sess_name()`. The handler is gated only by a nonce — no current_user_can() check is present — and the nonce is emitted on any front-end page that renders a form shortcode containing file fields. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke arbitrary zero-argument PHP functions (such as phpinfo, phpversion, get_defined_vars, error_get_last), resulting in sensitive information disclosure and potential further compromise depending on the functions available in the environment.
Published: 2026-07-01
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Video Gallery – YouTube Gallery, Playlist & Video Grid plugin for WordPress contains an Arbitrary Function Call flaw in all releases up to and including 4.0.3. The vulnerability arises in the emd_delete_file() AJAX handler, where the user‑supplied 'path' parameter is sanitized only with sanitize_text_field() and any trailing '_PLUGIN_DIR' substring is removed. The remaining value is then invoked as a PHP function name with no arguments through a variable function call. No capability checks are performed, so the endpoint is protected solely by a nonce that is emitted on any front‑end page that renders a form shortcode containing file fields. This allows an attacker to trigger calls to any zero‑argument PHP function (for example phpinfo, phpversion, get_defined_vars, error_get_last), exposing sensitive information and potentially providing further entry points for compromise. The exposed functions can reveal environment details, configuration settings, or other internal data that could be leveraged in subsequent exploits, such as code execution or credential theft. The vulnerable code is contained in includes/common-functions.php, and the AJAX route is available to any authenticated user who can obtain the relevant nonce.

Affected Systems

The affected product is the Video Gallery – YouTube Gallery, Playlist & Video Grid plugin authored by emarket‑design. Vulnerable versions are all releases up to 4.0.3. No other vendors or products are listed as impacted.

Risk and Exploitability

The CVSS score of 7.5 indicates a high impact vulnerability. Because the handler lacks proper authorization checks, it is inferred that any logged‑in user who holds Subscriber level privileges or higher can exploit the flaw if they can obtain a valid request nonce. The attacker must construct an HTTP request to the AJAX endpoint, injecting the function name into the 'path' parameter. EPSS data is unavailable, and the issue is not present in the CISA KEV catalog, but the straightforward attack path and lack of capability verification make the vulnerability actionable on any site running the specific plugin version.

Generated by OpenCVE AI on July 1, 2026 at 15:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Video Gallery – YouTube Gallery, Playlist & Video Grid plugin to a version that incorporates the fix
  • Modify the theme or the plugin to restrict the AJAX shortcode from generating the nonce on public pages, or add a capability check such as current_user_can('manage_options') before processing the request
  • If an immediate update is not possible, deactivate the plugin or remove the AJAX handler from the site’s code to eliminate the vulnerability

Generated by OpenCVE AI on July 1, 2026 at 15:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 05:00:00 +0000

Type Values Removed Values Added
Description The Youtube Showcase plugin for WordPress is vulnerable to Arbitrary Function Call in versions up to and including 4.0.3. This is due to insufficient validation of the 'path' parameter in the emd_delete_file() AJAX handler in includes/common-functions.php. The user-supplied value is passed through sanitize_text_field(), has its trailing '_PLUGIN_DIR' substring stripped, and is then invoked as a PHP function name with no arguments via `$sess_name()`. The handler is gated only by a nonce — no current_user_can() check is present — and the nonce is emitted on any front-end page that renders a form shortcode containing file fields. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke arbitrary zero-argument PHP functions (such as phpinfo, phpversion, get_defined_vars, error_get_last), resulting in sensitive information disclosure and potential further compromise depending on the functions available in the environment.
Title Video Gallery <= 4.0.3 - Authenticated (Subscriber+) Arbitrary Function Call via 'path' Parameter
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-01T10:32:05.596Z

Reserved: 2026-06-22T16:48:46.550Z

Link: CVE-2026-12923

cve-icon Vulnrichment

Updated: 2026-07-01T10:30:55.519Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T15:15:04Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')