CVE-2025-64635
Description
Missing Authorization vulnerability in Syed Balkhi Feeds for YouTube feeds-for-youtube allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Feeds for YouTube: from n/a through <= 2.4.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Feeds for YouTube plugin <=2.4.0 has a missing authorization vulnerability allowing attackers to exploit incorrectly configured access controls.
The Feeds for YouTube plugin for WordPress, versions up to and including 2.4.0, contains a missing authorization vulnerability. This issue arises from the plugin's failure to properly verify access control permissions when handling certain functions, allowing unauthenticated or low-privileged users to execute actions that should require higher privileges.
Exploitation of this vulnerability does not require authentication, as the missing authorization checks leave a function exposed. An attacker can leverage this weakness without needing any prior access to the website, making it a trivial attack vector for mass exploitation campaigns [1].
Successful exploitation could lead to unauthorized actions such as modifying plugin settings or accessing sensitive data, depending on the affected function. While the CVSS score places this at medium severity, the vulnerability is considered low risk in practice, though it remains a target for automated attacks.
Users are advised to update to version 2.6.1 or later, which resolves the issue. As a temporary measure, enabling auto-updates for vulnerable plugins can mitigate the risk for Patchstack users [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=2.4.0
- Range: <= 2.4.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.