Plataforma
wordpress
Componente
wp-youtube-video-gallery
Corregido en
1.0.1
CVE-2025-14906 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the WP Youtube Video Gallery plugin for WordPress. This flaw allows unauthenticated attackers to potentially modify plugin settings if they can trick a site administrator into performing an action. The vulnerability impacts versions 1.0.0 through 1.0, and a fix is expected in a future plugin release.
The core impact of this CSRF vulnerability lies in the ability of an attacker to manipulate the plugin's configuration without authentication. Successful exploitation could lead to unauthorized changes to video gallery settings, potentially altering video display, privacy settings, or other critical plugin functionalities. This could result in unexpected behavior, data exposure, or even the injection of malicious content onto the website. While the vulnerability requires tricking an administrator, the potential consequences can be significant, especially on sites with sensitive video content or high traffic.
This vulnerability was publicly disclosed on 2026-01-24. Currently, there are no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog. Given the relatively low CVSS score and lack of public exploits, the immediate exploitation probability is considered low, but vigilance is still advised.
Websites using the WP Youtube Video Gallery plugin, particularly those with multiple administrators or shared hosting environments, are at increased risk. Sites where administrators frequently click on links from untrusted sources are also more vulnerable.
• wordpress / composer / npm:
grep -r 'wpYTVideoGallerySettingSave()' /var/www/html/wp-content/plugins/wp-youtube-video-gallery/• wordpress / composer / npm:
wp plugin list --status=active | grep 'wp-youtube-video-gallery'• wordpress / composer / npm:
wp plugin update wp-youtube-video-gallery --alldisclosure
Estado del Exploit
EPSS
0.01% (1% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-14906 is to upgrade to a patched version of the WP Youtube Video Gallery plugin once available. Until a patch is released, consider implementing temporary workarounds. These include restricting administrator access to sensitive plugin settings, enabling a WordPress security plugin with CSRF protection, or implementing custom nonce verification on the wpYTVideoGallerySettingSave() function. Regularly review plugin settings for any unauthorized changes and monitor website activity for suspicious requests.
No se conoce ningún parche disponible. Por favor, revise los detalles de la vulnerabilidad en profundidad y emplee mitigaciones basadas en la tolerancia al riesgo de su organización. Puede ser mejor desinstalar el software afectado y buscar un reemplazo.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-14906 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP Youtube Video Gallery plugin for WordPress, allowing attackers to modify settings via forged requests.
You are affected if you are using the WP Youtube Video Gallery plugin versions 1.0.0 through 1.0 and have not upgraded to a patched version.
Upgrade to a patched version of the WP Youtube Video Gallery plugin as soon as it becomes available. Until then, implement workarounds like restricting admin access or using a security plugin.
Currently, there are no known active exploits for CVE-2025-14906, but it's important to apply mitigations proactively.
Check the WP Youtube Video Gallery plugin's official website or WordPress plugin repository for updates and security advisories related to CVE-2025-14906.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.