CVE-2023-1865 in YourChannel Plugin
Summary
by MITRE • 04/05/2023
The YourChannel plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check when resetting plugin settings via the yrc_nuke GET parameter in versions up to, and including, 1.2.3. This makes it possible for unauthenticated attackers to delete YouTube channels from the plugin.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/09/2026
The vulnerability identified as CVE-2023-1865 affects the YourChannel plugin for WordPress, a popular tool that integrates YouTube channels into WordPress websites. This flaw resides in the plugin's handling of administrative functions, specifically when processing reset operations through the yrc_nuke GET parameter. The issue represents a critical security oversight that undermines the integrity of the plugin's configuration management system and exposes sensitive data to unauthorized modification.
The technical root cause of this vulnerability stems from a missing capability check within the plugin's code implementation. When an attacker accesses the plugin's administrative endpoint with the yrc_nuke parameter, the system fails to verify whether the requesting user possesses the necessary permissions to perform such destructive operations. This absence of proper authentication validation creates an exploitable condition where any unauthenticated user can trigger the deletion of YouTube channel configurations stored within the plugin's settings. The vulnerability is classified as a weakness in authorization mechanisms, aligning with CWE-863, which addresses "Incorrect Authorization" in software systems. The flaw demonstrates a failure in implementing proper access control measures that should ensure only authorized administrators can modify critical plugin configurations.
The operational impact of this vulnerability extends beyond simple data loss, creating potential security risks for WordPress websites utilizing the affected plugin. Unauthenticated attackers can exploit this weakness to remove YouTube channel integrations, potentially disrupting website functionality and content delivery. This unauthorized modification capability could serve as a stepping stone for more extensive attacks, as it allows threat actors to compromise the plugin's configuration and potentially gain insights into the website's multimedia content management systems. The vulnerability particularly affects websites that rely heavily on YouTube integration for content delivery, making it a significant concern for publishers, businesses, and content creators who depend on these plugin functionalities. From an adversary perspective, this represents a low-effort, high-impact attack vector that aligns with ATT&CK technique T1078.004, which involves legitimate credentials obtained through unauthenticated access to administrative interfaces.
Mitigation strategies for CVE-2023-1865 should prioritize immediate remediation through plugin updates to versions that address the missing capability check. System administrators must ensure all instances of the YourChannel plugin are updated to the latest secure version, as the vulnerability affects all versions up to and including 1.2.3. Additionally, implementing proper access controls and monitoring for unauthorized administrative access attempts can help detect exploitation attempts. Network-level protections such as web application firewalls should be configured to monitor for suspicious GET parameter usage patterns targeting the affected plugin endpoints. Regular security audits of WordPress plugins and themes remain essential for identifying similar authorization flaws across the entire website ecosystem. Organizations should also consider implementing principle of least privilege configurations for plugin access rights and establish automated monitoring systems to detect unauthorized changes to critical plugin settings. The vulnerability serves as a reminder of the importance of proper input validation and access control implementation in web applications, particularly when handling sensitive configuration data that could impact website operations and user experience.