CVE-2026-1631
MEDIUMFeeds for YouTube < 2.6.4 - Subscriber+ License Data Deletion
Title source: cnaDescription
The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4's license key due to a missing capability check on the 'actions' function. This makes it possible for subscribers and above delete the license key.
References (1)
Core 1
Core References
Exploit exploit
vdb-entry
technical-description
https://wpscan.com/vulnerability/b19596c2-69bc-4e15-8632-eb80f4577e3c/
Scores
CVSS v3
5.4
EPSS
0.0022
EPSS Percentile
12.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (1)
None/Feeds for YouTube (YouTube video, channel, and gallery plugin)
< 2.6.4
Published
May 18, 2026
Tracked Since
May 18, 2026