Arbitrary Function Call Vulnerability in YouTube Showcase Plugin for WordPress
CVE-2026-12923

7.5HIGH

What is CVE-2026-12923?

The YouTube Showcase plugin for WordPress contains a vulnerability that allows authenticated users, with Subscriber-level access or higher, to execute arbitrary PHP functions due to inadequate input validation on the 'path' parameter in the emd_delete_file() AJAX handler. The user-controlled input is processed through sanitize_text_field() and subsequently called as a PHP function with no parameters, which can lead to unauthorized access to sensitive information and potential exploitation depending on the available PHP functions on the server.

Affected Version(s)

Video Gallery – YouTube Gallery, Playlist & Video Grid 0 <= 4.0.3

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

PRISM
.