Security Alert Summary
The Feeds for YouTube Pro plugin for WordPress contains an arbitrary file read vulnerability that can be triggered via a specific AJAX action. An unauthenticated attacker can read files on the server when certain plugin settings are enabled, potentially exposing sensitive information.
CVE Details
- CVE ID: CVE-2025-12002
- Affected plugin / component: Feeds for YouTube Pro plugin for WordPress
- Affected versions: All versions up to, and including, 2.6.0
- Published: January 17, 2026 at 3:16:02 AM UTC
- Last modified: January 17, 2026 at 3:16:02 AM UTC
- CVSS v3.1: Base Score 5.9, Severity MEDIUM, Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
- Authentication / privileges / user interaction: No authentication required (unauthenticated). Privileges required: None. User interaction: None.
- Attack vector / complexity / scope: Network / High complexity / Scope: Unchanged
- Primary impact: Confidentiality: High; Integrity: None; Availability: None
- CWE / weakness: CWE-22 (Path Traversal)
Technical Details
The vulnerability is an arbitrary file read (path traversal/file access) triggered via the sby_check_wp_submit AJAX action. According to the CVE description, user-supplied data is insufficiently sanitized and is used in a file operation, allowing an attacker to read the contents of arbitrary files on the server. The issue specifically affects the Pro version of Feeds for YouTube and is contingent on certain plugin settings: the “Save Featured Images” setting must be enabled and “Disable WP Posts” must be disabled for the attack to succeed.
The provided references point to the plugin files where the AJAX service and related functions are defined, indicating code paths where the file operation and input handling occur. The vulnerability does not assert modification or deletion of files; the reported impact is disclosure of file contents.
How This Could Impact Your Website
In a realistic scenario, a site owner running the Pro version of the plugin may have multiple internal users (editors, contributors) and may allow external contractors to assist with content. An unauthenticated attacker exploiting this vulnerability could read files on the server that contain sensitive information. Examples of exposed data could include configuration files, backups, or other files that contain internal user email addresses, API keys, or other credentials.
Practical consequences include exposure of internal user email addresses and increased risk of targeted phishing or social engineering against staff or contractors who appear in those files. The reported impact is limited to confidentiality (information disclosure) rather than integrity or availability, so this does not, based on the CVE entry, imply remote code execution or full site takeover.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (If a fixed version is not specified in the CVE entry, check the plugin author or vendor for updates.)
- Review and reduce unnecessary user roles, especially contributor-level access and external contractor accounts.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins, and avoid running Pro-only functionality you do not need.
- Monitor site activity and logs for unusual behavior, including unexpected AJAX requests or file access patterns.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/Services/AdminAjaxService.php#L25
- https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/Services/AdminAjaxService.php#L339
- https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/Services/AdminAjaxService.php#L383
- https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/sby-functions.php#L1038
- https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/sby-functions.php#L1047
- https://smashballoon.com/youtube-feed/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e9f31ec5-c376-45b1-9ffe-35c80b89b60d?source=cve