{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39485", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:47:37.759Z", "datePublished": "2026-04-08T08:30:11.011Z", "dateUpdated": "2026-04-29T09:52:01.953Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "youtube-embed-plus", "product": "Youtube Embed Plus", "vendor": "embedplus", "versions": [{"changes": [{"at": "14.2.5", "status": "unaffected"}], "lessThanOrEqual": "14.2.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:57.837Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in embedplus Youtube Embed Plus youtube-embed-plus allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Youtube Embed Plus: from n/a through <= 14.2.4.</p>"}], "value": "Missing Authorization vulnerability in embedplus Youtube Embed Plus youtube-embed-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Youtube Embed Plus: from n/a through <= 14.2.4."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:01.953Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/youtube-embed-plus/vulnerability/wordpress-youtube-embed-plus-plugin-14-2-4-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Youtube Embed Plus plugin <= 14.2.4 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T18:11:08.681826Z", "id": "CVE-2026-39485", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T18:11:13.532Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39485", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T18:11:08.681826Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T18:11:01.146Z"}}], "cna": {"title": "WordPress Youtube Embed Plus plugin <= 14.2.4 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "embedplus", "product": "Youtube Embed Plus", "versions": [{"status": "affected", "changes": [{"at": "14.2.5", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "14.2.4"}], "packageName": "youtube-embed-plus", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:57.837Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/youtube-embed-plus/vulnerability/wordpress-youtube-embed-plus-plugin-14-2-4-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in embedplus Youtube Embed Plus youtube-embed-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Youtube Embed Plus: from n/a through <= 14.2.4.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in embedplus Youtube Embed Plus youtube-embed-plus allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Youtube Embed Plus: from n/a through <= 14.2.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:11.011Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39485", "state": "PUBLISHED", "dateUpdated": "2026-04-10T18:11:13.532Z", "dateReserved": "2026-04-07T10:47:37.759Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:11.011Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in embedplus Youtube Embed Plus youtube-embed-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Youtube Embed Plus: from n/a through <= 14.2.4."}], "id": "CVE-2026-39485", "lastModified": "2026-04-24T18:08:35.440", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:23.253", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/youtube-embed-plus/vulnerability/wordpress-youtube-embed-plus-plugin-14-2-4-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,14.2.4]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[14.2.5,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Youtube Embed Plus", "source": "cna", "vendor": "embedplus"}, "product": "youtube_embed_plus", "vendor": "embedplus"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-10T20:53:43.116008+00:00", "value": {"mitigation_remediation": ["Upgrade the Youtube Embed Plus plugin to version 14.2.5 or later.", "Verify that the plugin\u2019s configuration requires appropriate WordPress user roles for sensitive actions.", "Disable or remove the plugin if an update is not immediately possible.", "Review user accounts and limit permissions to the least necessary.", "Monitor site activity for signs of unauthorized access."], "summary": {"action": "Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "WordPress installations that have the embedplus Youtube Embed Plus plugin version 14.2.4 or earlier are affected. Any site running these versions with the plugin enabled is vulnerable until the plugin is updated to a later release.", "description_and_impact": "The Youtube Embed Plus plugin for WordPress contains a missing authorization flaw that allows attackers to reach plugin endpoints without proper privilege checks. Because access controls are not enforced as intended, an attacker who can send requests to the plugin may be able to use functions that should be restricted, potentially exposing or altering embedded media settings. This weakness is identified as Missing Authorization (CWE\u2011862).", "risk_and_exploitability": "The CVSS base score of 4.3 indicates a moderate severity. The EPSS score is below 1 %, which suggests that exploitation in the wild is currently unlikely. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, the attack vector is inferred to be web\u2011based, requiring an attacker to deliver requests to the plugin\u2019s endpoints. Because no authentication is enforced, any user with network access to the site could potentially exploit the flaw, but the risk remains moderate compared to higher\u2011severity exploits."}}}}, "created": "2026-04-08T19:30:43.949388+00:00", "updated": "2026-04-13T14:25:36.655979+00:00", "vendors": ["embedplus", "embedplus$PRODUCT$youtube_embed_plus", "wordpress", "wordpress$PRODUCT$wordpress"]}