Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-12923: YouTube Showcase WordPress Plugin Arbitrary Function Call
CVE-2026-12923: YouTube Showcase WordPress Plugin Arbitrary Function Call
SECURITYHIGHCVE-2026-12923

CVE-2026-12923: YouTube Showcase WordPress Plugin Arbitrary Function Call

A high-severity arbitrary function call vulnerability in the YouTube Showcase plugin allows authenticated attackers to invoke arbitrary PHP functions via...

Dylan H.

Security Team

July 1, 2026
3 min read

Affected Products

  • YouTube Showcase Plugin <= 4.0.3 (WordPress)

Overview

A high-severity arbitrary function call vulnerability (CVSS 7.5) has been disclosed in the YouTube Showcase WordPress plugin, affecting all versions up to and including 4.0.3. The flaw, tracked as CVE-2026-12923, resides in an AJAX request handler and allows authenticated users with subscriber-level access or higher to invoke arbitrary zero-argument PHP functions on the server.

Vulnerability Details

The vulnerability exists in the emd_delete_file() AJAX handler located in includes/common-functions.php. The handler accepts a user-controlled path parameter and processes it through sanitize_text_field(), strips a trailing _PLUGIN_DIR substring, and then invokes the resulting string directly as a PHP function name — effectively calling $sess_name() with no additional sanitization or capability check.

Root Cause

The handler is gated only by a nonce check, with no current_user_can() capability validation. The nonce itself is emitted on any front-end page that renders a form shortcode containing file fields, making it accessible to any logged-in user regardless of role. Once the nonce is obtained, an attacker with subscriber-level access can craft a request with a path value that resolves to any callable PHP function that takes zero arguments.

Exploitable Functions

Attackers can invoke built-in PHP introspection and diagnostic functions, including:

  • phpinfo() — discloses full server configuration, loaded modules, and environment variables
  • phpversion() — reveals the PHP version
  • get_defined_vars() — exposes all currently defined variables and their values
  • error_get_last() — leaks the last PHP error message

While the flaw does not directly enable remote code execution, the information disclosure surface is significant, and chaining this vulnerability with other weaknesses on the same host could facilitate a broader compromise.

Affected Versions

ComponentAffected Versions
YouTube Showcase (WordPress Plugin)≤ 4.0.3

Impact

  • Confidentiality: High — server configuration, environment variables, and PHP internals are exposed
  • Integrity: None — attackers cannot write data through this flaw alone
  • Availability: None — no disruption capability
  • Authentication Required: Yes — subscriber-level or higher

Remediation

  1. Update immediately to a patched version of the YouTube Showcase plugin (version 4.0.4 or later when available through the WordPress plugin repository).
  2. Restrict user registration if subscriber-level accounts are not required for your site's operation.
  3. Audit AJAX handlers across installed plugins for similar patterns: unsanitized parameters being treated as callable function names.
  4. Apply a WAF rule to block POST requests to wp-admin/admin-ajax.php with action=emd_delete_file from non-administrative roles while a patch is being applied.

References

  • NVD — CVE-2026-12923
#CVE#WordPress#Plugin Vulnerability#Arbitrary Function Call#AJAX

Related Articles

CVE-2026-9711: Critical SQL Injection in EventON WordPress Plugin (CVSS 9.8)

A critical unauthenticated SQL injection vulnerability in the EventON WordPress Virtual Event Calendar Plugin affects versions up to 5.0.11, exposing...

3 min read

CVE-2026-8095: WordPress Frontend File Manager Plugin Allows Arbitrary File Deletion

A high-severity authenticated file deletion vulnerability in the nmedia Frontend File Manager Plugin for WordPress allows subscribers to delete any file...

5 min read

CVE-2026-8935: WP Maps Pro Unauthenticated Admin Account Creation (CVSS 9.8)

A critical unauthenticated vulnerability in the WP Maps Pro WordPress plugin before 6.1.1 allows any visitor to create an administrator account and...

3 min read
Back to all Security Alerts