Volerion logoVolerion
Volerion logoVolerion

Feeds for YouTube Pro WordPress Plugin Arbitrary File Read Vulnerability

Vulnerability

A vulnerability allowing arbitrary file read has been identified in the Feeds for YouTube Pro plugin for WordPress, affecting all versions through 2.6.0. The issue arises from inadequate sanitization of user-supplied data, which is then used in file operations. This flaw enables unauthenticated attackers to read arbitrary files on the server, potentially exposing sensitive information. The vulnerability is particularly concerning when the 'Save Featured Images' setting is enabled and 'Disable WP Posts' is disabled.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the server.

Reproduction

The vulnerability can be reproduced by sending a request to the 'sby_check_wp_submit' AJAX action with a crafted 'feed_id' parameter that exploits the path traversal flaw. This can be done by an unauthenticated user, taking advantage of the insufficient data sanitization to read arbitrary files, especially when the 'Save Featured Images' option is active.

Remediation

Users are advised to update the Feeds for YouTube Pro plugin to version 2.6.1 or later.

Added: Jan 17, 2026, 3:25 AM
Updated: Jan 17, 2026, 3:25 AM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
2.5
exploitability
9.3
remediation
7.7
relevance
2.1
threat
4.8
urgency
2.9
incentive
8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.