PT-2026-54470 · Emarket Design · Video Gallery – Youtube Gallery

Prism

·

Published

2026-07-01

·

Updated

2026-07-01

·

CVE-2026-12923

CVSS v3.1

7.5

High

VectorAV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
The Youtube Showcase plugin for WordPress is vulnerable to Arbitrary Function Call in versions up to and including 4.0.3. This is due to insufficient validation of the 'path' parameter in the emd delete file() AJAX handler in includes/common-functions.php. The user-supplied value is passed through sanitize text field(), has its trailing ' PLUGIN DIR' substring stripped, and is then invoked as a PHP function name with no arguments via $sess name(). The handler is gated only by a nonce — no current user can() check is present — and the nonce is emitted on any front-end page that renders a form shortcode containing file fields. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke arbitrary zero-argument PHP functions (such as phpinfo, phpversion, get defined vars, error get last), resulting in sensitive information disclosure and potential further compromise depending on the functions available in the environment.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-12923

Affected Products

Video Gallery – Youtube Gallery