CVE-2025-14906
CSRF Vulnerability in WP Youtube Video Gallery Plugin Allows Settings Modification
Publication date: 2026-01-24
Last updated on: 2026-01-24
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_youtube_video_gallery | wp_youtube_video_gallery | to 1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WP Youtube Video Gallery plugin for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 1.0. This occurs because the function wpYTVideoGallerySettingSave() lacks nonce verification, which is a security measure to confirm that requests are legitimate. As a result, an attacker can trick a site administrator into performing an unwanted action, such as changing plugin settings, by sending a forged request.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to modify the plugin settings by tricking an administrator into clicking a malicious link. This could lead to unauthorized changes in how the plugin behaves or displays content, potentially disrupting site functionality or exposing the site to further attacks.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the WP Youtube Video Gallery plugin to a version later than 1.0 where nonce verification is properly implemented on the wpYTVideoGallerySettingSave() function. If an update is not available, restrict access to the plugin's settings page to trusted administrators only and avoid clicking on suspicious links that could trigger forged requests. Additionally, consider implementing custom nonce verification or other CSRF protections in the plugin code. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a Cross-Site Request Forgery (CSRF) in the WP Youtube Video Gallery plugin due to missing nonce verification in the wpYTVideoGallerySettingSave() function. Detection would involve monitoring for unauthorized or forged POST requests to the plugin's settings save endpoint, especially those that modify plugin settings without proper authentication. Since the vulnerability involves an unauthenticated attacker tricking an admin into clicking a malicious link, network detection could include inspecting HTTP requests for suspicious POST requests to the plugin's admin settings URL. Specific commands are not provided in the available resources, so no exact detection commands can be suggested. [2]