Unauthorized Modification in Feeds for YouTube WordPress Plugin by Vendor
CVE-2026-1631

Currently unrated

Key Information:

Vendor: WordPress
Status: Feeds For Youtube (youtube Video, Channel, And Gallery Plugin)
Vendor: CVE Published:; 18 May 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-1631?

The Feeds for YouTube plugin, which integrates YouTube video, channel, and gallery functionalities, is susceptible to unauthorized modifications due to a lack of capability checks on the 'actions' function. This vulnerability allows users with subscriber privileges or higher to delete the plugin's license key, potentially leading to disruptions in functionality and unauthorized usage.

Affected Version(s)

Feeds for YouTube (YouTube video, channel, and gallery plugin) 0 < 2.6.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-1631 - Proof of Concept

References

https://wpscan.com/vulnerability/b19596c2-69bc-4e15-8632-...

exploitvdb-entrytechnical-description

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 18, 2026
👾
Exploit known to exist
May 18, 2026
Vulnerability published
May 18, 2026
Vulnerability Reserved
Jan 29, 2026

Credit

Legion Hunter

WPScan

CVE-2026-1631 Data

JSON