CVE-2026-1631
Description
The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4's license key due to a missing capability check on the 'actions' function. This makes it possible for subscribers and above delete the license key.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Subscribers can delete the license key in Feeds for YouTube plugin < 2.6.4 due to missing capability check.
Vulnerability
The Feeds for YouTube plugin for WordPress, versions before 2.6.4, is missing a capability check in its actions function. This oversight allows unprivileged users to modify the plugin's license key without proper authorization [1].
Exploitation
An attacker with subscriber-level access or above can exploit this vulnerability by sending a crafted request to the vulnerable actions function. No additional authentication or network position is required beyond being a subscriber on the WordPress site [1].
Impact
Successful exploitation results in deletion of the plugin's license key. This could disable premium features or cause the plugin to malfunction, potentially affecting site functionality that relies on YouTube video integration [1].
Mitigation
The vulnerability has been fixed in version 2.6.4. Users are advised to update the plugin immediately. There are no known workarounds [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <2.6.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.