プラットフォーム
wordpress
コンポーネント
wp-youtube-video-gallery
修正版
1.0.1
CVE-2025-14906 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the WP Youtube Video Gallery plugin for WordPress. This flaw allows unauthenticated attackers to potentially modify plugin settings if they can trick a site administrator into performing an action. The vulnerability impacts versions 1.0.0 through 1.0, and a fix is expected in a future plugin release.
The core impact of this CSRF vulnerability lies in the ability of an attacker to manipulate the plugin's configuration without authentication. Successful exploitation could lead to unauthorized changes to video gallery settings, potentially altering video display, privacy settings, or other critical plugin functionalities. This could result in unexpected behavior, data exposure, or even the injection of malicious content onto the website. While the vulnerability requires tricking an administrator, the potential consequences can be significant, especially on sites with sensitive video content or high traffic.
This vulnerability was publicly disclosed on 2026-01-24. Currently, there are no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog. Given the relatively low CVSS score and lack of public exploits, the immediate exploitation probability is considered low, but vigilance is still advised.
Websites using the WP Youtube Video Gallery plugin, particularly those with multiple administrators or shared hosting environments, are at increased risk. Sites where administrators frequently click on links from untrusted sources are also more vulnerable.
• wordpress / composer / npm:
grep -r 'wpYTVideoGallerySettingSave()' /var/www/html/wp-content/plugins/wp-youtube-video-gallery/• wordpress / composer / npm:
wp plugin list --status=active | grep 'wp-youtube-video-gallery'• wordpress / composer / npm:
wp plugin update wp-youtube-video-gallery --alldisclosure
エクスプロイト状況
EPSS
0.01% (1% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-14906 is to upgrade to a patched version of the WP Youtube Video Gallery plugin once available. Until a patch is released, consider implementing temporary workarounds. These include restricting administrator access to sensitive plugin settings, enabling a WordPress security plugin with CSRF protection, or implementing custom nonce verification on the wpYTVideoGallerySettingSave() function. Regularly review plugin settings for any unauthorized changes and monitor website activity for suspicious requests.
既知の修正パッチはありません。脆弱性の詳細を詳細に検討し、組織のリスク許容度に基づいて軽減策を講じてください。影響を受けるソフトウェアをアンインストールし、代替手段を見つけるのが最善かもしれません。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-14906 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP Youtube Video Gallery plugin for WordPress, allowing attackers to modify settings via forged requests.
You are affected if you are using the WP Youtube Video Gallery plugin versions 1.0.0 through 1.0 and have not upgraded to a patched version.
Upgrade to a patched version of the WP Youtube Video Gallery plugin as soon as it becomes available. Until then, implement workarounds like restricting admin access or using a security plugin.
Currently, there are no known active exploits for CVE-2025-14906, but it's important to apply mitigations proactively.
Check the WP Youtube Video Gallery plugin's official website or WordPress plugin repository for updates and security advisories related to CVE-2025-14906.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。