Feeds for YouTube WordPress Plugin Unauthorized License Key Modification Vulnerability

A vulnerability exists in the Feeds for YouTube WordPress plugin, specifically in versions prior to 2.6.4. The issue arises from a missing capability check in the 'actions' function, allowing users with subscriber roles and above to delete the plugin's license key. This unauthorized modification could disrupt license management and associated functionalities.

Impact

Exploitation of this vulnerability allows for the unauthorized deletion of critical license information, potentially disrupting license management and associated features of the plugin.

Reproduction

To reproduce this vulnerability, first log into a WordPress site as a user with subscriber privileges. Once logged in, send a POST request to 'wp-admin/admin-ajax.php' without the necessary authorization. Include the 'action' parameter set to 'sby_recheck_connection' and any value for the 'license_key' parameter. The absence of a capability check allows the request to be processed, resulting in the deletion of the license key.

Remediation

Users are advised to update the Feeds for YouTube WordPress plugin to version 2.6.4 or later.