CVE-2026-12923 in Video Gallery Plugininfo

Summary

by MITRE • 07/01/2026

The Youtube Showcase plugin for WordPress is vulnerable to Arbitrary Function Call in versions up to and including 4.0.3. This is due to insufficient validation of the 'path' parameter in the emd_delete_file() AJAX handler in includes/common-functions.php. The user-supplied value is passed through sanitize_text_field(), has its trailing '_PLUGIN_DIR' substring stripped, and is then invoked as a PHP function name with no arguments via `$sess_name()`. The handler is gated only by a nonce — no current_user_can() check is present — and the nonce is emitted on any front-end page that renders a form shortcode containing file fields. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke arbitrary zero-argument PHP functions (such as phpinfo, phpversion, get_defined_vars, error_get_last), resulting in sensitive information disclosure and potential further compromise depending on the functions available in the environment.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/01/2026

The vulnerability in the YouTube Showcase plugin for WordPress represents a critical arbitrary function call flaw that enables authenticated attackers to execute unauthorized PHP functions with potentially devastating consequences. This issue affects versions up to and including 4.0.3, where the emd_delete_file() AJAX handler in includes/common-functions.php fails to properly validate user-supplied input. The vulnerability stems from inadequate sanitization practices that allow malicious actors to manipulate the 'path' parameter, which is subsequently processed through sanitize_text_field() function before having its trailing '_PLUGIN_DIR' substring removed. This processed value then becomes directly executable as a PHP function name through the dynamic invocation mechanism `$sess_name()` without any argument validation or access control checks.

The security implications of this vulnerability are severe due to the lack of proper authentication and authorization mechanisms within the AJAX handler. Unlike typical WordPress security patterns that require explicit permission checks through current_user_can() functions, this handler operates solely on nonce verification which is insufficient for protecting sensitive operations. The nonce validation mechanism is further weakened because nonces are generated and emitted on any front-end page containing forms with file fields, making them accessible to users who can submit content or interact with the plugin's frontend interface. This design flaw means that attackers with Subscriber-level access or higher can exploit this vulnerability without requiring elevated privileges beyond basic user accounts.

The impact of this vulnerability extends beyond simple information disclosure to potentially enable more sophisticated attacks depending on the PHP environment configuration and available functions. Attackers can invoke zero-argument PHP functions such as phpinfo(), phpversion(), get_defined_vars(), and error_get_last() which provide detailed insights into the server configuration, PHP version, loaded extensions, and potentially sensitive system information. These functions can reveal critical details about the underlying infrastructure that could be leveraged for further exploitation, including exposure of deprecated functions, enabled security features, or configuration settings that might aid in advanced attack vectors.

From a cybersecurity perspective, this vulnerability aligns with CWE-470, which addresses "Use of Externally-Controlled Input to Select Classes or Code" and represents a form of insecure dynamic code execution. The flaw also maps to ATT&CK technique T1059.007 for "Command and Scripting Interpreter: Python," though adapted for PHP environments where attackers can execute arbitrary PHP functions through dynamic invocation patterns. Organizations running affected versions should immediately implement mitigations including updating to patched versions, implementing additional access controls, or disabling the vulnerable plugin functionality until proper security measures are in place. The vulnerability demonstrates the critical importance of validating user input before using it in dynamic execution contexts and highlights how seemingly simple validation functions can create significant security gaps when combined with insufficient authorization checks.

Responsible

Wordfence

Reservation

06/22/2026

Disclosure

07/01/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!