CVE-2025-12002
BaseFortify
Publication date: 2026-01-17
Last updated on: 2026-01-17
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| smashballoon | feeds_for_youtube | to 2.6.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Feeds for YouTube Pro WordPress plugin (up to version 2.6.0) allows unauthenticated attackers to read arbitrary files on the server via the 'sby_check_wp_submit' AJAX action. This happens because user-supplied data is not properly sanitized before being used in file operations. The exploit is possible only if the 'Save Featured Images' setting is enabled and 'Disable WP Posts' is disabled. This vulnerability affects only the Pro version of the plugin.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to read sensitive files on the server without authentication. Such files may contain confidential information, credentials, or configuration data, potentially leading to information disclosure and further attacks on the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the 'sby_check_wp_submit' AJAX action in the Feeds for YouTube Pro WordPress plugin, which allows arbitrary file read via insufficient sanitization of user input. Detection can be attempted by monitoring or scanning for HTTP requests to the AJAX endpoint that invoke the 'sby_check_wp_submit' action. For example, you can look for POST requests to 'wp-admin/admin-ajax.php' with the parameter 'action=sby_check_wp_submit'. A sample command to detect such requests in web server logs could be: grep 'action=sby_check_wp_submit' /path/to/access.log. Additionally, you can use curl to test if the endpoint is accessible and vulnerable by sending a crafted POST request with the 'action=sby_check_wp_submit' parameter and observing the response for arbitrary file contents. However, no explicit detection commands or scripts are provided in the resources. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Updating the Feeds for YouTube Pro plugin to a version later than 2.6.0 where the vulnerability is fixed. 2) If an update is not immediately possible, disable the 'Save Featured Images' setting and enable the 'Disable WP Posts' setting as the vulnerability requires 'Save Featured Images' enabled and 'Disable WP Posts' disabled to be exploitable. 3) Restrict access to the AJAX endpoint or implement web application firewall (WAF) rules to block or monitor requests to the 'sby_check_wp_submit' AJAX action. 4) Clear plugin caches and transient data to remove any potentially cached malicious data. These steps help prevent unauthenticated attackers from exploiting the arbitrary file read vulnerability. [4]