Youtube Feeder <= 2.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
The Youtube Feeder WordPress plugin (≤2.0.1) lacks CSRF protection, enabling attackers to forge requests that inject arbitrary web scripts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Youtube Feeder WordPress plugin (≤2.0.1) lacks CSRF protection, enabling attackers to forge requests that inject arbitrary web scripts.
Vulnerability
The Youtube Feeder WordPress plugin, in versions up to and including 2.0.1, contains a Cross-Site Request Forgery (CSRF) vulnerability in the printAdminPage function found in the ~/youtube-feeder.php file. This allows attackers to inject arbitrary web scripts [1][2]. The plugin has been closed and removed from the WordPress.org plugin directory as of July 29, 2021 due to a security issue [1].
Exploitation
An attacker can craft a malicious link or page that performs a forged request to the vulnerable endpoint, exploiting the lack of CSRF nonce verification. The attack requires user interaction: the victim must be logged in as an administrator and must click or navigate to the attacker-controlled request [2]. No authentication or special network position is required beyond the victim's session.
Impact
Successful exploitation allows an attacker to inject arbitrary web scripts (stored or reflected XSS) into the admin panel, leading to potential information disclosure, privilege escalation, or further compromise of the WordPress site [2]. The attacker can effectively perform actions on behalf of the authenticated administrator.
Mitigation
The plugin has been closed and removed from the WordPress.org plugin directory as of July 29, 2021, and no patched version is being distributed. Users who have this plugin installed should uninstall it immediately and replace it with an alternative [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=2.0.1
- Youtube Feeder/Youtube Feederv5Range: 2.0.1
Patches
0youtube-feederThis plugin has been removed from the WordPress.org directory on 2021-07-29 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- plugins.trac.wordpress.org/browser/youtube-feeder/trunk/youtube-feeder.phpmitrex_refsource_MISC
- www.wordfence.com/vulnerability-advisories/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.