CVE-2026-1631
Deferred Deferred - Pending Action
License Key Deletion in Feeds for YouTube WordPress Plugin

Publication date: 2026-05-18

Last updated on: 2026-05-18

Assigner: WPScan

Description
The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4's license key due to a missing capability check on the 'actions' function. This makes it possible for subscribers and above delete the license key.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-18
Last Modified
2026-05-18
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-1631
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
feeds_for_youtube wordpress_plugin to 2.6.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-1631 is a vulnerability in the Feeds for YouTube WordPress plugin versions before 2.6.4. The issue arises because the plugin's 'actions' function lacks a proper capability check, which allows users with subscriber-level privileges or higher to modify the plugin's license key without authorization.

Specifically, an attacker can log in as a subscriber and send a specially crafted request to the 'sby_recheck_connection' action, which deletes important license information stored in the WordPress database options 'sby_islicence_upgraded' and 'sby_upgraded_info'. This is classified as a broken access control vulnerability.

Impact Analysis

This vulnerability can impact you by allowing unauthorized users with subscriber or higher privileges to delete the license key of the Feeds for YouTube plugin. This could disrupt the plugin's functionality, potentially causing loss of access to premium features or updates that rely on a valid license.

Since the license key is critical for the plugin's operation, its deletion could lead to service interruptions or degraded performance of the YouTube feeds on your WordPress site.

Detection Guidance

This vulnerability can be detected by checking if the 'Feeds for YouTube' WordPress plugin version is prior to 2.6.4 and by monitoring for unauthorized requests to the 'sby_recheck_connection' action.

A practical detection method involves logging in as a subscriber-level user and attempting to send a crafted request to the 'sby_recheck_connection' action to see if the license key information is deleted.

You can also inspect the WordPress database options 'sby_islicence_upgraded' and 'sby_upgraded_info' for unexpected deletions or modifications.

  • Check the plugin version installed on your WordPress site to confirm if it is below 2.6.4.
  • Use a subscriber account to send a POST request to the WordPress admin-ajax.php endpoint with the parameter action=sby_recheck_connection and observe if license data is deleted.
  • Query the WordPress database for the options 'sby_islicence_upgraded' and 'sby_upgraded_info' to verify their presence and integrity.
Mitigation Strategies

The immediate mitigation step is to update the 'Feeds for YouTube' WordPress plugin to version 2.6.4 or later, where this vulnerability is fixed.

Until the update can be applied, restrict subscriber-level users from accessing or triggering the 'sby_recheck_connection' action if possible.

Monitor the license key related options in the WordPress database for unauthorized changes and restore them if necessary.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1631. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart