PT-2026-54470 · Emarket Design · Video Gallery – Youtube Gallery
Prism
·
Published
2026-07-01
·
Updated
2026-07-01
·
CVE-2026-12923
CVSS v3.1
7.5
High
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
The Youtube Showcase plugin for WordPress is vulnerable to Arbitrary Function Call in versions up to and including 4.0.3. This is due to insufficient validation of the 'path' parameter in the emd delete file() AJAX handler in includes/common-functions.php. The user-supplied value is passed through sanitize text field(), has its trailing ' PLUGIN DIR' substring stripped, and is then invoked as a PHP function name with no arguments via
$sess name(). The handler is gated only by a nonce — no current user can() check is present — and the nonce is emitted on any front-end page that renders a form shortcode containing file fields. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke arbitrary zero-argument PHP functions (such as phpinfo, phpversion, get defined vars, error get last), resulting in sensitive information disclosure and potential further compromise depending on the functions available in the environment.Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Video Gallery – Youtube Gallery