Overview
A high-severity arbitrary function call vulnerability (CVSS 7.5) has been disclosed in the YouTube Showcase WordPress plugin, affecting all versions up to and including 4.0.3. The flaw, tracked as CVE-2026-12923, resides in an AJAX request handler and allows authenticated users with subscriber-level access or higher to invoke arbitrary zero-argument PHP functions on the server.
Vulnerability Details
The vulnerability exists in the emd_delete_file() AJAX handler located in includes/common-functions.php. The handler accepts a user-controlled path parameter and processes it through sanitize_text_field(), strips a trailing _PLUGIN_DIR substring, and then invokes the resulting string directly as a PHP function name — effectively calling $sess_name() with no additional sanitization or capability check.
Root Cause
The handler is gated only by a nonce check, with no current_user_can() capability validation. The nonce itself is emitted on any front-end page that renders a form shortcode containing file fields, making it accessible to any logged-in user regardless of role. Once the nonce is obtained, an attacker with subscriber-level access can craft a request with a path value that resolves to any callable PHP function that takes zero arguments.
Exploitable Functions
Attackers can invoke built-in PHP introspection and diagnostic functions, including:
phpinfo()— discloses full server configuration, loaded modules, and environment variablesphpversion()— reveals the PHP versionget_defined_vars()— exposes all currently defined variables and their valueserror_get_last()— leaks the last PHP error message
While the flaw does not directly enable remote code execution, the information disclosure surface is significant, and chaining this vulnerability with other weaknesses on the same host could facilitate a broader compromise.
Affected Versions
| Component | Affected Versions |
|---|---|
| YouTube Showcase (WordPress Plugin) | ≤ 4.0.3 |
Impact
- Confidentiality: High — server configuration, environment variables, and PHP internals are exposed
- Integrity: None — attackers cannot write data through this flaw alone
- Availability: None — no disruption capability
- Authentication Required: Yes — subscriber-level or higher
Remediation
- Update immediately to a patched version of the YouTube Showcase plugin (version 4.0.4 or later when available through the WordPress plugin repository).
- Restrict user registration if subscriber-level accounts are not required for your site's operation.
- Audit AJAX handlers across installed plugins for similar patterns: unsanitized parameters being treated as callable function names.
- Apply a WAF rule to block POST requests to
wp-admin/admin-ajax.phpwithaction=emd_delete_filefrom non-administrative roles while a patch is being applied.