Vulnerabilities

CVE-2025-12002 - Feeds for YouTube Pro <= 2.6.0 - unauthenticated arbitrary file read via path tr...

2026-01-17 0 views admin
CVE-2025-12002 - Feeds for YouTube Pro <= 2.6.0 - unauthenticated arbitrary file read via path tr...

CVE ID : CVE-2025-12002 Published : Jan. 17, 2026, 3:16 a.m. | 1 hour, 9 minutes ago Description : The Feeds for YouTube Pro plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 2.6.0 via the 'sby_check_wp_submit' AJAX action. This is due to insufficient sanitization of user-supplied data and the use of that data in a file operation. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information, granted the 'Save Featured Images' setting is enabled and 'Disable WP Posts' is disabled. Note: This vulnerability only affects the Pro version of Feeds for YouTube. Severity: 5.9 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE Details

Severity
MEDIUM
Published
Jan. 17, 2026
Affected Product: WordPress

🏷️ Tags

cvevulnerabilitysecuritycybersecuritycve-2025-12002mediumwordpress

More from Vulnerabilities

CVE-2025-12984 - Advanced Ads – Ad Manager & AdSense <= 2.0.15 - authenticated (admin+) sql injec...

CVE-2025-12984 - Advanced Ads – Ad Manager & AdSense <= 2.0.15 - authenticated (admin+) sql injec...

2026-01-17 0
CVE-2026-0691 - CM E-Mail Blacklist <= 1.6.2 - authenticated (administrator+) stored cross-site s...

CVE-2026-0691 - CM E-Mail Blacklist <= 1.6.2 - authenticated (administrator+) stored cross-site s...

2026-01-17 0
CVE-2026-0833 - Team Section Block <= 2.0.0 - authenticated (contributor+) stored cross-site scri...

CVE-2026-0833 - Team Section Block <= 2.0.0 - authenticated (contributor+) stored cross-site scri...

2026-01-17 0
CVE-2026-0808 - Spin Wheel <= 2.1.0 - unauthenticated client-side prize manipulation via 'prize_i...

CVE-2026-0808 - Spin Wheel <= 2.1.0 - unauthenticated client-side prize manipulation via 'prize_i...

2026-01-17 0

Trending

1

Tech: Go-legacy-winxp: Compile Golang 1.24 code for Windows XP

2026-01-15 • 4457 views
2

Tech: Data is the only moat

2026-01-15 • 4133 views
3

Tech: Pocket TTS: A high quality TTS that gives your CPU a voice

2026-01-15 • 3239 views
4

Tech: AWS European Sovereign Cloud

2026-01-15 • 2741 views
5

Tech: JuiceFS is a distributed POSIX file system built on top of Redis and S3

2026-01-15 • 2719 views