Description
The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4's license key due to a missing capability check on the 'actions' function. This makes it possible for subscribers and above delete the license key.
Published: 2026-05-18
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Feeds for YouTube WordPress plugin before version 2.6.4 contains a missing capability check in its actions function. This flaw allows any user with the Subscriber role or higher to remove the plugin’s stored license data, effectively deleting the license key and disabling licensed features. The vulnerability does not provide arbitrary code execution or compromise of other components; it solely grants lower‑privileged users unauthorized modification of a critical plugin configuration.

Affected Systems

Any WordPress site running Feeds for YouTube version 2.6.3 or earlier is vulnerable. No other vendors or product versions are mentioned.

Risk and Exploitability

The EPSS score of < 1% indicates a low but nonzero exploitation probability. The CVSS score of 5.4 indicates medium severity. It is not listed in CISA KEV. Exploitation requires authentication with at least Subscriber privileges, a role that may exist on many sites. An attacker can delete the license key, potentially rendering the plugin unusable but not exposing broader system compromise.

Generated by OpenCVE AI on May 18, 2026 at 17:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Feeds for YouTube plugin to version 2.6.4 or newer, which introduces a proper capability check.
  • Restrict the Subscriber role (or any role with access to plugin configuration) so that it cannot execute actions that modify license data.
  • If the plugin is not essential, disable or uninstall it until a patched version is available.

Generated by OpenCVE AI on May 18, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Mon, 18 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 18 May 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Smashballoon
Smashballoon feeds For Youtube
Wordpress
Wordpress wordpress
Vendors & Products Smashballoon
Smashballoon feeds For Youtube
Wordpress
Wordpress wordpress

Mon, 18 May 2026 08:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Mon, 18 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4's license key due to a missing capability check on the 'actions' function. This makes it possible for subscribers and above delete the license key.
Title Feeds for YouTube < 2.6.4 - Subscriber+ License Data Deletion
References

Subscriptions

Smashballoon Feeds For Youtube
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-05-18T13:39:28.618Z

Reserved: 2026-01-29T15:55:18.319Z

Link: CVE-2026-1631

cve-icon Vulnrichment

Updated: 2026-05-18T13:39:25.252Z

cve-icon NVD

Status : Deferred

Published: 2026-05-18T07:16:12.020

Modified: 2026-05-18T17:05:46.240

Link: CVE-2026-1631

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T17:30:05Z

Weaknesses