We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

Feeds for YouTube Plugin Vulnerability (CVE-2026-1631)

Nick Paliughi
On this page

Security Alert Summary

The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 contains a missing capability check in its actions function that allows subscribers and higher to delete the plugin license key. An authenticated low-privileged user can modify the license key value without proper authorization checks.

CVE Details

  • CVE ID: CVE-2026-1631
  • Affected component: Feeds for YouTube (YouTube video, channel, and gallery plugin)
  • Affected versions: Versions before 2.6.4
  • Published: May 18, 2026 at 7:16:12 AM
  • Last modified: May 18, 2026 at 3:16:25 PM
  • CVSS v3.1 base score: 5.4
  • CVSS v3.1 severity: MEDIUM
  • CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
  • Authentication / privileges / user interaction: Authentication required; low privileges required (PR:L); no user interaction (UI:N)
  • Primary impact: Confidentiality: None; Integrity: Low; Availability: Low
  • Weakness: CWE-862 (Missing Authorization)

Technical Details

The vulnerability is caused by a missing capability check on the plugins actions function. Because the function does not verify that a user has the appropriate capability before performing license-related operations, authenticated users with the Subscriber role or higher can delete the plugins license key. Deleting a license key can prevent the plugin from validating its license and may disable licensed features or updates, producing an availability and integrity impact as reflected by the CVSS metrics.

How This Could Impact Your Website

Consider a site where the site owner delegates routine content tasks to an internal editor and gives occasional access to an external contractor with Subscriber-level credentials. If a subscriber or other low-privileged user deletes the plugins license key, the plugin may stop receiving updates or lose access to licensed services, potentially degrading functionality for editors and visitors. While the CVSS assessment indicates no direct confidentiality impact, unauthorized modification of license data can create operational disruption and may increase the risk of targeted social engineering attempts against staff if attackers attempt to manipulate recovery workflows or support channels.

If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles and capabilities, especially for Subscribers and Contributors.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins to reduce the attack surface.
  • Monitor site activity and plugin logs for unusual behavior related to license changes or plugin settings.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WP Maps Plugin Vulnerability (CVE-2026-6381)
Next Post
WP Photo Album Plus Vulnerability (CVE-2026-6379)