CVE-2026-12923 Overview
CVE-2026-12923 is an arbitrary function call vulnerability in the Youtube Showcase plugin for WordPress, affecting all versions up to and including 4.0.3. The flaw resides in the emd_delete_file() AJAX handler within includes/common-functions.php. Authenticated attackers with Subscriber-level access can invoke arbitrary zero-argument PHP functions through the path parameter. This enables sensitive information disclosure through functions such as phpinfo, phpversion, get_defined_vars, and error_get_last. The vulnerability is classified under [CWE-98] (Improper Control of Filename for Include/Require Statement).
Critical Impact
Authenticated Subscriber-level users can invoke arbitrary zero-argument PHP functions, leading to information disclosure and potential further compromise depending on available functions.
Affected Products
- Youtube Showcase plugin for WordPress
- Versions up to and including 4.0.3
- All WordPress sites using the affected plugin with a form shortcode containing file fields
Discovery Timeline
- 2026-07-01 - CVE-2026-12923 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-12923
Vulnerability Analysis
The vulnerability exists in the emd_delete_file() AJAX handler located in includes/common-functions.php. The handler accepts a user-supplied path parameter and processes it through sanitize_text_field(). The code then strips the trailing _PLUGIN_DIR substring from the value. The resulting string is invoked as a PHP function name with no arguments through the dynamic invocation pattern $sess_name().
Sanitization via sanitize_text_field() only removes control characters and tags. It does not restrict the value to an allowlist of safe function names. Any zero-argument PHP function callable in the current environment becomes reachable through this handler.
Root Cause
The root cause is insufficient validation of the path parameter combined with missing authorization checks. The handler is gated only by a nonce verification, with no current_user_can() capability check. The nonce is emitted on any front-end page that renders a form shortcode containing file fields. Any authenticated user who can view such a page can retrieve a valid nonce.
Attack Vector
An authenticated attacker with Subscriber-level access loads a front-end page rendering the vulnerable form shortcode to obtain a valid nonce. The attacker then submits an AJAX request to the emd_delete_file() endpoint with the path parameter set to a target PHP function name. Functions such as phpinfo, phpversion, get_defined_vars, and error_get_last return sensitive runtime information. See the Wordfence Vulnerability Report and the WordPress Plugin Code Reference for details on the vulnerable code path.
Detection Methods for CVE-2026-12923
Indicators of Compromise
- POST requests to admin-ajax.php invoking the emd_delete_file action with a path parameter matching sensitive PHP function names such as phpinfo, phpversion, get_defined_vars, or error_get_last.
- Unusually large AJAX response payloads from admin-ajax.php consistent with phpinfo() output being returned to a Subscriber-level session.
- Repeated AJAX calls to the emd_delete_file endpoint originating from low-privilege user sessions.
Detection Strategies
- Inspect web server access logs for action=emd_delete_file parameters combined with non-file values in the path field.
- Correlate WordPress user role assignments with AJAX endpoint access patterns to identify Subscriber accounts invoking administrative-style handlers.
- Deploy a Web Application Firewall (WAF) rule to flag POST requests where the path parameter for emd_delete_file does not resemble a filesystem path.
Monitoring Recommendations
- Enable WordPress audit logging for all AJAX handler invocations from non-administrator roles.
- Monitor for new Subscriber-level account registrations followed by AJAX requests to plugin endpoints.
- Alert on outbound traffic patterns consistent with data exfiltration following suspicious admin-ajax.php activity.
How to Mitigate CVE-2026-12923
Immediate Actions Required
- Update the Youtube Showcase plugin to a version above 4.0.3 as soon as a patched release is available from the vendor.
- Disable the Youtube Showcase plugin until a patch is applied if the plugin is not business-critical.
- Remove or restrict any front-end pages that render form shortcodes containing file fields exposed to low-privilege users.
- Audit WordPress user accounts and disable open user registration where not required.
Patch Information
Review the WordPress Changeset Overview for vendor changes related to this issue. Site administrators should upgrade to a fixed release once published and validate that emd_delete_file() enforces a current_user_can() capability check and restricts path values to expected filesystem entries.
Workarounds
- Use a WAF rule to block POST requests to admin-ajax.php where the action parameter equals emd_delete_file and the path parameter matches known PHP function names.
- Restrict access to admin-ajax.php from unauthenticated and Subscriber-level sessions through hardened access controls.
- Remove form shortcodes containing file fields from publicly reachable pages to prevent nonce disclosure to low-privilege users.
# Example WAF rule (ModSecurity) to block exploitation attempts
SecRule ARGS:action "@streq emd_delete_file" \
"id:1026129230,phase:2,deny,status:403,\
chain,msg:'CVE-2026-12923 Youtube Showcase arbitrary function call'"
SecRule ARGS:path "@rx ^(phpinfo|phpversion|get_defined_vars|error_get_last|posix_getpwuid|sys_get_temp_dir)$" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

