Description
The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4's license key due to a missing capability check on the 'actions' function. This makes it possible for subscribers and above delete the license key.
Published: 2026-05-18
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Feeds for YouTube WordPress plugin before version 2.6.4 contains a missing capability check in its actions function. This flaw allows any user with the Subscriber role or higher to remove the plugin’s stored license data, effectively deleting the license key and disabling licensed features. The vulnerability does not provide arbitrary code execution or compromise of other components; it solely grants lower‑privileged users unauthorized modification of a critical plugin configuration.

Affected Systems

Any WordPress site running Feeds for YouTube version 2.6.3 or earlier is vulnerable. No other vendors or product versions are mentioned.

Risk and Exploitability

EPSS score is not available and the issue is not listed in the CISA KEV catalogue. The CVSS score is not specified. Exploitation requires only that an attacker be authenticated with at least Subscriber privileges, a role that may exist on many sites. The impact is limited to deletion of license data, potentially rendering the plugin unusable but not exposing broader system compromise.

Generated by OpenCVE AI on May 18, 2026 at 07:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Feeds for YouTube plugin to version 2.6.4 or newer, which introduces a proper capability check.
  • Restrict the Subscriber role (or any role with access to plugin configuration) so that it cannot execute actions that modify license data.
  • If the plugin is not essential, disable or uninstall it until a patched version is available.

Generated by OpenCVE AI on May 18, 2026 at 07:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Smashballoon
Smashballoon feeds For Youtube
Wordpress
Wordpress wordpress
Vendors & Products Smashballoon
Smashballoon feeds For Youtube
Wordpress
Wordpress wordpress

Mon, 18 May 2026 08:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Mon, 18 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4's license key due to a missing capability check on the 'actions' function. This makes it possible for subscribers and above delete the license key.
Title Feeds for YouTube < 2.6.4 - Subscriber+ License Data Deletion
References

Subscriptions

Smashballoon Feeds For Youtube
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-05-18T06:00:04.592Z

Reserved: 2026-01-29T15:55:18.319Z

Link: CVE-2026-1631

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-18T07:16:12.020

Modified: 2026-05-18T07:16:12.020

Link: CVE-2026-1631

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T10:48:56Z

Weaknesses