CVE-2023-1867 MEDIUM

CVE-2023-1867: YourChannel <= 1.2.4 - Cross-Site Request Forgery to Plugin Settings Change

Vendor Pluginbuilders

Product YourChannel: Everything you want in a YouTube plugin.

Weakness CWE-352 · CSRF

Published April 5, 2023

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

5.4/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

The YourChannel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.4. This is due to missing or incorrect nonce validation on the save function. This makes it possible for unauthenticated attackers to change the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Key dates

02Disclosure timeline

April 5, 2023 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-1867

Related vulnerabilities

04Related CVE

CVE-2024-49617 WordPress Back Link Tracker plugin <= 1.0.0 - CSRF to SQL Injection vulnerability CVE-2024-43945 WordPress LatePoint plugin <= 4.9.91 - Cross Site Request Forgery (CSRF) vulnerability CVE-2024-51688 WordPress FraudLabs Pro SMS Verification plugin <= 1.10.1 - CSRF to Stored XSS vulnerability CVE-2023-34386 WordPress WPC Smart Wishlist for WooCommerce Plugin <= 4.7.1 is vulnerable to Cross Site Request Forgery (CSRF) CVE-2022-29436 WordPress Code Snippets Extended plugin <= 1.4.7 - Cross-Site Request Forgery (CSRF) vulnerability leading to Persistent Cross-Site Scripting (XSS)

Identifiers

CVE CVE-2023-1867

CWE CWE-352

CVSS 5.4 / MEDIUM

Affected versions

Vendor Pluginbuilders

Product YourChannel: Everything you want in a YouTube plugin.

Affected ≤ 1.2.4