PT-2026-54470 · Emarket Design · Video Gallery – Youtube Gallery

Prism

·

Publicado

2026-07-01

·

Atualizado

2026-07-01

·

CVE-2026-12923

CVSS v3.1

7.5

Alta

VetorAV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
The Youtube Showcase plugin for WordPress is vulnerable to Arbitrary Function Call in versions up to and including 4.0.3. This is due to insufficient validation of the 'path' parameter in the emd delete file() AJAX handler in includes/common-functions.php. The user-supplied value is passed through sanitize text field(), has its trailing ' PLUGIN DIR' substring stripped, and is then invoked as a PHP function name with no arguments via $sess name(). The handler is gated only by a nonce — no current user can() check is present — and the nonce is emitted on any front-end page that renders a form shortcode containing file fields. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke arbitrary zero-argument PHP functions (such as phpinfo, phpversion, get defined vars, error get last), resulting in sensitive information disclosure and potential further compromise depending on the functions available in the environment.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-12923

Produtos afetados

Video Gallery – Youtube Gallery