CVE-2026-1631
License Key Deletion in Feeds for YouTube WordPress Plugin
Publication date: 2026-05-18
Last updated on: 2026-05-18
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| feeds_for_youtube | wordpress_plugin | to 2.6.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1631 is a vulnerability in the Feeds for YouTube WordPress plugin versions before 2.6.4. The issue arises because the plugin's 'actions' function lacks a proper capability check, which allows users with subscriber-level privileges or higher to modify the plugin's license key without authorization.
Specifically, an attacker can log in as a subscriber and send a specially crafted request to the 'sby_recheck_connection' action, which deletes important license information stored in the WordPress database options 'sby_islicence_upgraded' and 'sby_upgraded_info'. This is classified as a broken access control vulnerability.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users with subscriber or higher privileges to delete the license key of the Feeds for YouTube plugin. This could disrupt the plugin's functionality, potentially causing loss of access to premium features or updates that rely on a valid license.
Since the license key is critical for the plugin's operation, its deletion could lead to service interruptions or degraded performance of the YouTube feeds on your WordPress site.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the 'Feeds for YouTube' WordPress plugin version is prior to 2.6.4 and by monitoring for unauthorized requests to the 'sby_recheck_connection' action.
A practical detection method involves logging in as a subscriber-level user and attempting to send a crafted request to the 'sby_recheck_connection' action to see if the license key information is deleted.
You can also inspect the WordPress database options 'sby_islicence_upgraded' and 'sby_upgraded_info' for unexpected deletions or modifications.
- Check the plugin version installed on your WordPress site to confirm if it is below 2.6.4.
- Use a subscriber account to send a POST request to the WordPress admin-ajax.php endpoint with the parameter action=sby_recheck_connection and observe if license data is deleted.
- Query the WordPress database for the options 'sby_islicence_upgraded' and 'sby_upgraded_info' to verify their presence and integrity.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the 'Feeds for YouTube' WordPress plugin to version 2.6.4 or later, where this vulnerability is fixed.
Until the update can be applied, restrict subscriber-level users from accessing or triggering the 'sby_recheck_connection' action if possible.
Monitor the license key related options in the WordPress database for unauthorized changes and restore them if necessary.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.