Platform
wordpress
Component
wp-youtube-video-gallery
Opgelost in
1.0.1
CVE-2025-14906 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the WP Youtube Video Gallery plugin for WordPress. This flaw allows unauthenticated attackers to potentially modify plugin settings if they can trick a site administrator into performing an action. The vulnerability impacts versions 1.0.0 through 1.0, and a fix is expected in a future plugin release.
The core impact of this CSRF vulnerability lies in the ability of an attacker to manipulate the plugin's configuration without authentication. Successful exploitation could lead to unauthorized changes to video gallery settings, potentially altering video display, privacy settings, or other critical plugin functionalities. This could result in unexpected behavior, data exposure, or even the injection of malicious content onto the website. While the vulnerability requires tricking an administrator, the potential consequences can be significant, especially on sites with sensitive video content or high traffic.
This vulnerability was publicly disclosed on 2026-01-24. Currently, there are no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog. Given the relatively low CVSS score and lack of public exploits, the immediate exploitation probability is considered low, but vigilance is still advised.
Websites using the WP Youtube Video Gallery plugin, particularly those with multiple administrators or shared hosting environments, are at increased risk. Sites where administrators frequently click on links from untrusted sources are also more vulnerable.
• wordpress / composer / npm:
grep -r 'wpYTVideoGallerySettingSave()' /var/www/html/wp-content/plugins/wp-youtube-video-gallery/• wordpress / composer / npm:
wp plugin list --status=active | grep 'wp-youtube-video-gallery'• wordpress / composer / npm:
wp plugin update wp-youtube-video-gallery --alldisclosure
Exploit Status
EPSS
0.01% (1% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-14906 is to upgrade to a patched version of the WP Youtube Video Gallery plugin once available. Until a patch is released, consider implementing temporary workarounds. These include restricting administrator access to sensitive plugin settings, enabling a WordPress security plugin with CSRF protection, or implementing custom nonce verification on the wpYTVideoGallerySettingSave() function. Regularly review plugin settings for any unauthorized changes and monitor website activity for suspicious requests.
Geen bekende patch beschikbaar. Bestudeer de details van de kwetsbaarheid grondig en pas mitigaties toe op basis van de risicotolerantie van uw organisatie. Het kan het beste zijn om de getroffen software te verwijderen en een vervanging te zoeken.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-14906 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP Youtube Video Gallery plugin for WordPress, allowing attackers to modify settings via forged requests.
You are affected if you are using the WP Youtube Video Gallery plugin versions 1.0.0 through 1.0 and have not upgraded to a patched version.
Upgrade to a patched version of the WP Youtube Video Gallery plugin as soon as it becomes available. Until then, implement workarounds like restricting admin access or using a security plugin.
Currently, there are no known active exploits for CVE-2025-14906, but it's important to apply mitigations proactively.
Check the WP Youtube Video Gallery plugin's official website or WordPress plugin repository for updates and security advisories related to CVE-2025-14906.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.