Platform
wordpress
Component
wp-youtube-video-gallery
Fixed in
1.0.1
CVE-2025-14906 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the WP Youtube Video Gallery plugin for WordPress. This flaw allows unauthenticated attackers to potentially modify plugin settings if they can trick a site administrator into performing an action. The vulnerability impacts versions 1.0.0 through 1.0, and a fix is expected in a future plugin release.
The core impact of this CSRF vulnerability lies in the ability of an attacker to manipulate the plugin's configuration without authentication. Successful exploitation could lead to unauthorized changes to video gallery settings, potentially altering video display, privacy settings, or other critical plugin functionalities. This could result in unexpected behavior, data exposure, or even the injection of malicious content onto the website. While the vulnerability requires tricking an administrator, the potential consequences can be significant, especially on sites with sensitive video content or high traffic.
This vulnerability was publicly disclosed on 2026-01-24. Currently, there are no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog. Given the relatively low CVSS score and lack of public exploits, the immediate exploitation probability is considered low, but vigilance is still advised.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-14906 is to upgrade to a patched version of the WP Youtube Video Gallery plugin once available. Until a patch is released, consider implementing temporary workarounds. These include restricting administrator access to sensitive plugin settings, enabling a WordPress security plugin with CSRF protection, or implementing custom nonce verification on the wpYTVideoGallerySettingSave() function. Regularly review plugin settings for any unauthorized changes and monitor website activity for suspicious requests.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14906 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP Youtube Video Gallery plugin for WordPress, allowing attackers to modify settings via forged requests.
You are affected if you are using the WP Youtube Video Gallery plugin versions 1.0.0 through 1.0 and have not upgraded to a patched version.
Upgrade to a patched version of the WP Youtube Video Gallery plugin as soon as it becomes available. Until then, implement workarounds like restricting admin access or using a security plugin.
Currently, there are no known active exploits for CVE-2025-14906, but it's important to apply mitigations proactively.
Check the WP Youtube Video Gallery plugin's official website or WordPress plugin repository for updates and security advisories related to CVE-2025-14906.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.