The vulnerability is a missing authorization check in the embedplus Youtube Embed Plus plugin for WordPress. An attacker can exploit incorrectly configured access control security levels to reach administrative interfaces that normally require higher privileges. This flaw allows unauthorized manipulation of the plugin’s settings and the embedded content, potentially leading to the insertion of malicious videos or alteration of user‑generated content. The weakness is classified as CWE-862.

WordPress sites that have the embedplus Youtube Embed Plus plugin from its earliest version up through any release dated 14.2.4 or earlier are affected. The plugin is identified by embedplus and is commonly used on sites that embed video content.

The CVSS score and EPSS data are not publicly disclosed, and the vulnerability is not listed in the CISA KEV catalog, so the exact quantitative risk cannot be determined. However, because the flaw permits unauthorized access to privileged plugin functions via the web interface, the risk is considered high for sites where the plugin’s administrative pages are reachable. The likely attack vector is through crafted HTTP requests sent to the plugin’s backend endpoints, and exploitation does not appear to require additional pre‑conditions beyond the presence of the vulnerable plugin installation.