Arbitrary Function Call Vulnerability in YouTube Showcase Plugin for WordPress
CVE-2026-12923
7.5HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 1 July 2026
What is CVE-2026-12923?
The YouTube Showcase plugin for WordPress contains a vulnerability that allows authenticated users, with Subscriber-level access or higher, to execute arbitrary PHP functions due to inadequate input validation on the 'path' parameter in the emd_delete_file() AJAX handler. The user-controlled input is processed through sanitize_text_field() and subsequently called as a PHP function with no parameters, which can lead to unauthorized access to sensitive information and potential exploitation depending on the available PHP functions on the server.
Affected Version(s)
Video Gallery β YouTube Gallery, Playlist & Video Grid 0 <= 4.0.3