CVE-2025-12002
Description
The Feeds for YouTube Pro plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 2.6.0 via the 'sby_check_wp_submit' AJAX action. This is due to insufficient sanitization of user-supplied data and the use of that data in a file operation. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information, granted the 'Save Featured Images' setting is enabled and 'Disable WP Posts' is disabled. Note: This vulnerability only affects the Pro version of Feeds for YouTube.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated attackers can read arbitrary file read in Feeds for YouTube Pro plugin for WordPress via insufficient sanitization in the sby_check_wp_submit AJAX action.
The Feeds for YouTube Pro plugin for WordPress, up to version 2.6.0, contains an arbitrary file read vulnerability in the sby_check_wp_submit AJAX action. The root cause is insufficient sanitization of user-supplied data, which is then used in a file operation. file operation. This allows an attacker to specify arbitrary file paths and read their contents from the server.
Exploitation requires that the 'Save Featured Images' setting is enabled and 'Disable WP Posts' is disabled. The vulnerability is accessible to unauthenticated attackers via the AJAX endpoint, meaning no authentication is needed to trigger the file read. The attacker can supply a crafted request to read any file on the server that the web server user has access to.
The impact is the exposure of sensitive information contained in arbitrary files, such as configuration files, database credentials, or other secrets. This could lead to further compromise of the WordPress site or underlying server. The vulnerability only affects the Pro version of the plugin, as noted in the description.
As of the publication date, the vulnerability is unpatched in versions up to 2.6.0. Users are advised to disable the 'Save Featured Images' setting or enable 'Disable WP Posts' as a workaround, or to apply any available update from the vendor. The plugin is developed by Smash Balloon [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.6.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/Services/AdminAjaxService.phpnvd
- plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/Services/AdminAjaxService.phpnvd
- plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/Services/AdminAjaxService.phpnvd
- plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/sby-functions.phpnvd
- plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/sby-functions.phpnvd
- smashballoon.com/youtube-feed/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/e9f31ec5-c376-45b1-9ffe-35c80b89b60dnvd
News mentions
0No linked articles in our index yet.