Plattform
wordpress
Komponente
wp-youtube-video-gallery
Behoben in
1.0.1
CVE-2025-14906 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the WP Youtube Video Gallery plugin for WordPress. This flaw allows unauthenticated attackers to potentially modify plugin settings if they can trick a site administrator into performing an action. The vulnerability impacts versions 1.0.0 through 1.0, and a fix is expected in a future plugin release.
The core impact of this CSRF vulnerability lies in the ability of an attacker to manipulate the plugin's configuration without authentication. Successful exploitation could lead to unauthorized changes to video gallery settings, potentially altering video display, privacy settings, or other critical plugin functionalities. This could result in unexpected behavior, data exposure, or even the injection of malicious content onto the website. While the vulnerability requires tricking an administrator, the potential consequences can be significant, especially on sites with sensitive video content or high traffic.
This vulnerability was publicly disclosed on 2026-01-24. Currently, there are no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog. Given the relatively low CVSS score and lack of public exploits, the immediate exploitation probability is considered low, but vigilance is still advised.
Websites using the WP Youtube Video Gallery plugin, particularly those with multiple administrators or shared hosting environments, are at increased risk. Sites where administrators frequently click on links from untrusted sources are also more vulnerable.
• wordpress / composer / npm:
grep -r 'wpYTVideoGallerySettingSave()' /var/www/html/wp-content/plugins/wp-youtube-video-gallery/• wordpress / composer / npm:
wp plugin list --status=active | grep 'wp-youtube-video-gallery'• wordpress / composer / npm:
wp plugin update wp-youtube-video-gallery --alldisclosure
Exploit-Status
EPSS
0.01% (1% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-14906 is to upgrade to a patched version of the WP Youtube Video Gallery plugin once available. Until a patch is released, consider implementing temporary workarounds. These include restricting administrator access to sensitive plugin settings, enabling a WordPress security plugin with CSRF protection, or implementing custom nonce verification on the wpYTVideoGallerySettingSave() function. Regularly review plugin settings for any unauthorized changes and monitor website activity for suspicious requests.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Vulnerability eingehend und setzen Sie Schutzmaßnahmen basierend auf der Risikobereitschaft Ihrer Organisation um. Es kann am besten sein, die betroffene Software zu deinstallieren und eine Alternative zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-14906 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP Youtube Video Gallery plugin for WordPress, allowing attackers to modify settings via forged requests.
You are affected if you are using the WP Youtube Video Gallery plugin versions 1.0.0 through 1.0 and have not upgraded to a patched version.
Upgrade to a patched version of the WP Youtube Video Gallery plugin as soon as it becomes available. Until then, implement workarounds like restricting admin access or using a security plugin.
Currently, there are no known active exploits for CVE-2025-14906, but it's important to apply mitigations proactively.
Check the WP Youtube Video Gallery plugin's official website or WordPress plugin repository for updates and security advisories related to CVE-2025-14906.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.