Vulnerabilities and security researches forfeeds-for-youtube feeds-for-youtube

May 19, 2026

CVE, Research URL: CVE-2026-1631
Home page URL: Security reports for Feeds for YouTube (YouTube video, channel, and gallery plugin)
Application: Feeds for YouTube (YouTube video, channel, and gallery plugin)
Date: May 18, 2026
Research Description: The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4's license key due to a missing capability check on the 'actions' function. This makes it possible for subscribers and above delete the license key.
Affected versions: max 2.6.4.
Status: vulnerable

Jan 28, 2026

CVE, Research URL: CVE-2025-12002
Home page URL: Security reports for Feeds for YouTube (YouTube video, channel, and gallery plugin)
Application: Feeds for YouTube (YouTube video, channel, and gallery plugin)
Date: Jan 17, 2026
Research Description: The Feeds for YouTube Pro plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 2.6.0 via the 'sby_check_wp_submit' AJAX action. This is due to insufficient sanitization of user-supplied data and the use of that data in a file operation. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information, granted the 'Save Featured Images' setting is enabled and 'Disable WP Posts' is disabled. Note: This vulnerability only affects the Pro version of Feeds for YouTube.
Affected versions: max 2.6.2.
Status: vulnerable

Jan 10, 2026

CVE, Research URL: CVE-2025-64635
Home page URL: Security reports for Feeds for YouTube (YouTube video, channel, and gallery plugin)
Application: Feeds for YouTube (YouTube video, channel, and gallery plugin)
Date: Dec 16, 2025
Research Description: Missing Authorization vulnerability in Syed Balkhi Feeds for YouTube feeds-for-youtube allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Feeds for YouTube: from n/a through <= 2.4.0.
Affected versions: max 2.4.0.
Status: vulnerable

Jul 12, 2024

CVE, Research URL: CVE-2024-6256
Home page URL: Security reports for Feeds for YouTube (YouTube video, channel, and gallery plugin)
Application: Feeds for YouTube (YouTube video, channel, and gallery plugin)
Date: Jul 11, 2024
Research Description: The Feeds for YouTube (YouTube video, channel, and gallery plugin) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'youtube-feed' shortcode in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.2.2.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2023-4841
Home page URL: Security reports for Feeds for YouTube (YouTube video, channel, and gallery plugin)
Application: Feeds for YouTube (YouTube video, channel, and gallery plugin)
Date: Sep 14, 2023
Research Description: The Feeds for YouTube for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'youtube-feed' shortcode in versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.1.2.
Status: vulnerable

CVE, Research URL: 63d036bf8354801dd02167b4cc6a671f96fb03ce
Home page URL: Security reports for Feeds for YouTube (YouTube video, channel, and gallery plugin)
Application: Feeds for YouTube (YouTube video, channel, and gallery plugin)
Date: Jul 20, 2021
Research Description: Feeds for YouTube (YouTube video, channel, and gallery plugin) [feeds-for-youtube] < 1.4.2 Smash Balloon Plugins (Various Versions) - Reflected Cross-Site Scripting Several Smash Balloon Plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via URLs in various versions due to insufficient input sanitization and output escaping with the use of add_query_arg. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: max 1.4.2.
Status: vulnerable