{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39485", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:47:37.759Z", "datePublished": "2026-04-08T08:30:11.011Z", "dateUpdated": "2026-04-08T08:30:11.011Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "youtube-embed-plus", "product": "Youtube Embed Plus", "vendor": "embedplus", "versions": [{"changes": [{"at": "14.2.5", "status": "unaffected"}], "lessThanOrEqual": "14.2.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:57.837Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in embedplus Youtube Embed Plus youtube-embed-plus allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Youtube Embed Plus: from n/a through <= 14.2.4.</p>"}], "value": "Missing Authorization vulnerability in embedplus Youtube Embed Plus youtube-embed-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Youtube Embed Plus: from n/a through <= 14.2.4."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:11.011Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/youtube-embed-plus/vulnerability/wordpress-youtube-embed-plus-plugin-14-2-4-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Youtube Embed Plus plugin <= 14.2.4 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in embedplus Youtube Embed Plus youtube-embed-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Youtube Embed Plus: from n/a through <= 14.2.4."}], "id": "CVE-2026-39485", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:23.253", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/youtube-embed-plus/vulnerability/wordpress-youtube-embed-plus-plugin-14-2-4-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,14.2.4]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[14.2.5,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Youtube Embed Plus", "source": "cna", "vendor": "embedplus"}, "product": "youtube_embed_plus", "vendor": "embedplus"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:18:27.345057+00:00", "value": {"mitigation_remediation": ["Update the Youtube Embed Plus plugin to a version newer than 14.2.4", "Verify that only administrators have access to the plugin\u2019s settings and editor pages", "Review and harden role\u2011based permissions on your WordPress site", "Monitor logs for unauthorized access attempts"], "summary": {"action": "Patch Now", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the embedplus Youtube Embed Plus plugin from its earliest version up through any release dated 14.2.4 or earlier are affected. The plugin is identified by embedplus and is commonly used on sites that embed video content.", "description_and_impact": "The vulnerability is a missing authorization check in the embedplus Youtube Embed Plus plugin for WordPress. An attacker can exploit incorrectly configured access control security levels to reach administrative interfaces that normally require higher privileges. This flaw allows unauthorized manipulation of the plugin\u2019s settings and the embedded content, potentially leading to the insertion of malicious videos or alteration of user\u2011generated content. The weakness is classified as CWE-862.", "risk_and_exploitability": "The CVSS score and EPSS data are not publicly disclosed, and the vulnerability is not listed in the CISA KEV catalog, so the exact quantitative risk cannot be determined. However, because the flaw permits unauthorized access to privileged plugin functions via the web interface, the risk is considered high for sites where the plugin\u2019s administrative pages are reachable. The likely attack vector is through crafted HTTP requests sent to the plugin\u2019s backend endpoints, and exploitation does not appear to require additional pre\u2011conditions beyond the presence of the vulnerable plugin installation."}}}}, "created": "2026-04-08T19:30:43.949388+00:00", "updated": "2026-04-08T19:43:13.179574+00:00", "vendors": ["embedplus", "embedplus$PRODUCT$youtube_embed_plus", "wordpress", "wordpress$PRODUCT$wordpress"]}