Description
Missing Authorization vulnerability in embedplus Youtube Embed Plus youtube-embed-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Youtube Embed Plus: from n/a through <= 14.2.4.
Published: 2026-04-08
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Patch
AI Analysis

Impact

The Youtube Embed Plus plugin for WordPress contains a missing authorization flaw that allows attackers to reach plugin endpoints without proper privilege checks. Because access controls are not enforced as intended, an attacker who can send requests to the plugin may be able to use functions that should be restricted, potentially exposing or altering embedded media settings. This weakness is identified as Missing Authorization (CWE‑862).

Affected Systems

WordPress installations that have the embedplus Youtube Embed Plus plugin version 14.2.4 or earlier are affected. Any site running these versions with the plugin enabled is vulnerable until the plugin is updated to a later release.

Risk and Exploitability

The CVSS base score of 4.3 indicates a moderate severity. The EPSS score is below 1 %, which suggests that exploitation in the wild is currently unlikely. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, the attack vector is inferred to be web‑based, requiring an attacker to deliver requests to the plugin’s endpoints. Because no authentication is enforced, any user with network access to the site could potentially exploit the flaw, but the risk remains moderate compared to higher‑severity exploits.

Generated by OpenCVE AI on April 10, 2026 at 20:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Youtube Embed Plus plugin to version 14.2.5 or later.
  • Verify that the plugin’s configuration requires appropriate WordPress user roles for sensitive actions.
  • Disable or remove the plugin if an update is not immediately possible.
  • Review user accounts and limit permissions to the least necessary.
  • Monitor site activity for signs of unauthorized access.

Generated by OpenCVE AI on April 10, 2026 at 20:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Embedplus
Embedplus youtube Embed Plus
Wordpress
Wordpress wordpress
Vendors & Products Embedplus
Embedplus youtube Embed Plus
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in embedplus Youtube Embed Plus youtube-embed-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Youtube Embed Plus: from n/a through <= 14.2.4.
Title WordPress Youtube Embed Plus plugin <= 14.2.4 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Embedplus Youtube Embed Plus
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:01.953Z

Reserved: 2026-04-07T10:47:37.759Z

Link: CVE-2026-39485

cve-icon Vulnrichment

Updated: 2026-04-10T18:11:01.146Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:23.253

Modified: 2026-04-24T18:08:35.440

Link: CVE-2026-39485

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:25:36Z

Weaknesses