CVE-2025-12002 Overview
The Feeds for YouTube Pro plugin for WordPress contains an arbitrary file read vulnerability affecting all versions up to and including 2.6.0. This path traversal flaw exists in the sby_check_wp_submit AJAX action due to insufficient sanitization of user-supplied data that is subsequently used in file operations. The vulnerability allows unauthenticated attackers to read the contents of arbitrary files on the server, potentially exposing sensitive configuration data, database credentials, and other critical information.
Critical Impact
Unauthenticated attackers can read sensitive server files including wp-config.php, potentially exposing database credentials and authentication keys when specific plugin settings are enabled.
Affected Products
- Feeds for YouTube Pro plugin for WordPress versions ≤ 2.6.0
- WordPress installations with "Save Featured Images" setting enabled
- WordPress installations with "Disable WP Posts" setting disabled
Discovery Timeline
- 2026-01-17 - CVE CVE-2025-12002 published to NVD
- 2026-01-17 - Last updated in NVD database
Technical Details for CVE-2025-12002
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Path Traversal), allowing attackers to access files outside the intended directory structure. The flaw requires specific plugin configuration conditions to be exploitable: the "Save Featured Images" setting must be enabled, and "Disable WP Posts" must be disabled. When these conditions are met, unauthenticated remote attackers can leverage the AJAX endpoint to read arbitrary files from the server filesystem.
The vulnerability poses a significant confidentiality risk as it enables extraction of sensitive server-side files. WordPress configuration files containing database credentials, API keys, and authentication salts are prime targets for exploitation.
Root Cause
The root cause lies in inadequate input sanitization within the AdminAjaxService.php file, specifically in the handling of user-supplied data passed to the sby_check_wp_submit AJAX action. The plugin fails to properly validate and sanitize file path parameters before using them in file read operations, allowing attackers to traverse directory structures using sequences like ../ to access files outside the intended scope.
Attack Vector
The attack is network-accessible and requires no authentication or user interaction. An attacker can craft malicious requests to the vulnerable AJAX endpoint, manipulating file path parameters to include directory traversal sequences. Due to the conditional nature of the vulnerability (requiring specific plugin settings), the attack complexity is considered high.
The vulnerable code can be traced through multiple source files including:
- AdminAjaxService.php at line 25
- AdminAjaxService.php at line 339
- AdminAjaxService.php at line 383
- sby-functions.php at line 1038
- sby-functions.php at line 1047
Detection Methods for CVE-2025-12002
Indicators of Compromise
- Unusual AJAX requests to wp-admin/admin-ajax.php with action parameter sby_check_wp_submit
- HTTP requests containing directory traversal patterns such as ../ or encoded variants like %2e%2e%2f
- Access logs showing attempts to read sensitive files like wp-config.php, /etc/passwd, or other system files
- Unexpected file access patterns in web server logs originating from the feeds-for-youtube plugin directory
Detection Strategies
- Monitor web application firewall (WAF) logs for path traversal patterns in requests to WordPress AJAX endpoints
- Implement log analysis rules to detect requests with directory traversal sequences targeting the sby_check_wp_submit action
- Deploy intrusion detection signatures for file read attempts through WordPress plugin AJAX handlers
- Audit web server access logs for requests containing suspicious path manipulation characters
Monitoring Recommendations
- Enable detailed logging for WordPress AJAX requests and regularly review for anomalous patterns
- Configure real-time alerting for any requests attempting to access files outside the WordPress installation directory
- Monitor for bulk scanning activity targeting common WordPress plugin vulnerabilities
- Track access attempts to sensitive configuration files such as wp-config.php
How to Mitigate CVE-2025-12002
Immediate Actions Required
- Update the Feeds for YouTube Pro plugin to a version newer than 2.6.0 when a patched version becomes available
- As a temporary measure, disable the "Save Featured Images" setting in the plugin configuration
- Enable the "Disable WP Posts" setting to prevent exploitation until patched
- Consider temporarily deactivating the Feeds for YouTube Pro plugin if it is not critical to site operations
Patch Information
Refer to the Wordfence Vulnerability Report for the latest patch status and vendor updates. Site administrators should monitor the Smash Balloon YouTube Feed official page for security updates.
Workarounds
- Disable the "Save Featured Images" feature in the Feeds for YouTube Pro plugin settings panel
- Enable the "Disable WP Posts" option to mitigate the attack vector
- Implement Web Application Firewall (WAF) rules to block requests containing path traversal sequences to WordPress AJAX endpoints
- Restrict access to wp-admin/admin-ajax.php by IP address if the AJAX functionality is not required for unauthenticated users
# Apache .htaccess rule to block path traversal attempts
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} (\.\./) [NC,OR]
RewriteCond %{QUERY_STRING} (\.\.%2f) [NC,OR]
RewriteCond %{QUERY_STRING} (%2e%2e/) [NC]
RewriteRule ^wp-admin/admin-ajax\.php - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
