PatchSiren cyber security CVE debrief

CVE-2026-1631 Feeds for YouTube CVE debrief

CVE-2026-1631 is a medium-severity (CVSS 5.4) missing authorization vulnerability in the Feeds for YouTube WordPress plugin, affecting versions before 2.6.4. The flaw exists in the plugin's 'actions' function, which lacks proper capability checks, allowing authenticated users with subscriber-level privileges or higher to delete the plugin's license key without authorization. This represents a CWE-862 (Missing Authorization) weakness. The vulnerability was published to the NVD on May 18, 2026, with the record subsequently modified later that same day. No known exploitation in the wild or ransomware campaign use has been documented. The vendor attribution is currently marked as low confidence based on reference domain analysis, with WPScan identified as the primary source.

Vendor: Feeds for YouTube
Product: Feeds for YouTube WordPress plugin
CVSS: MEDIUM 5.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-18
Original CVE updated: 2026-05-18
Advisory published: 2026-05-18
Advisory updated: 2026-05-18

Who should care

WordPress site administrators using the Feeds for YouTube plugin; security teams managing WordPress content management systems; organizations with open registration policies that create subscriber-level accounts

Technical summary

The Feeds for YouTube WordPress plugin's 'actions' function fails to verify user capabilities before processing license key deletion requests. This authorization bypass allows any authenticated user with subscriber privileges (the default WordPress role assigned to new registrations) to remove the plugin's license key, potentially disrupting video feed functionality. The vulnerability requires network access and valid low-privilege credentials but no user interaction. Impact is limited to integrity and availability (license deletion), with no confidentiality impact.

Defensive priority

medium

Recommended defensive actions

Upgrade Feeds for YouTube WordPress plugin to version 2.6.4 or later
Review WordPress user roles and remove unnecessary subscriber-level accounts
Implement principle of least privilege for WordPress user access
Monitor WordPress audit logs for unauthorized license key modifications
Verify plugin license key integrity after patching

Evidence notes

Vulnerability description sourced from official NVD record. CVSS 3.1 vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L. Weakness classification: CWE-862. Vendor attribution confidence: low, derived from reference domain candidate 'Wpscan'.

Official resources

2026-05-18