CVE-2024-11354
📋 TL;DR
This vulnerability in the Ultimate YouTube Video & Shorts Player With Vimeo WordPress plugin allows authenticated attackers with Subscriber-level access or higher to delete single playlists without proper authorization. It affects all versions up to and including 3.3 due to a missing capability check in the del_ytsingvid() function.
💻 Affected Systems
- Ultimate YouTube Video & Shorts Player With Vimeo WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Malicious authenticated users could systematically delete all playlists, disrupting content organization and potentially causing data loss if playlists aren't backed up.
Likely Case
Subscriber-level users deleting playlists they shouldn't have access to, causing minor content management disruption.
If Mitigated
Limited impact if proper user role management and backups are in place, with only authorized administrators able to manage playlists.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability details are publicly documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 3.3
Vendor Advisory: https://plugins.trac.wordpress.org/browser/ultimate-youtube-video-player/trunk/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Ultimate YouTube Video & Shorts Player With Vimeo'. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and remove the plugin.
🔧 Temporary Workarounds
Remove Subscriber playlist deletion capability
allUse WordPress role management to prevent Subscriber-level users from accessing playlist management functions
wp role reset subscriber --allow-root
wp cap remove subscriber delete_playlists --allow-root
Temporary plugin deactivation
allDeactivate the vulnerable plugin until patched
wp plugin deactivate ultimate-youtube-video-player --allow-root
🧯 If You Can't Patch
- Implement strict user role management and limit Subscriber accounts
- Enable comprehensive logging and monitoring for playlist deletion activities
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Ultimate YouTube Video & Shorts Player With Vimeo → Version. If version is 3.3 or lower, you are vulnerable.Check Version:
wp plugin get ultimate-youtube-video-player --field=version --allow-rootVerify Fix Applied:
After updating, verify plugin version is higher than 3.3 in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- WordPress audit logs showing playlist deletion by non-admin users
- Unexpected playlist removal events in application logs
Network Indicators:
- POST requests to admin-ajax.php or plugin-specific endpoints with playlist deletion parameters from non-admin users
SIEM Query:
source="wordpress.log" AND ("playlist deleted" OR "del_ytsingvid") AND user_role!="administrator"🔗 References
- https://plugins.trac.wordpress.org/browser/ultimate-youtube-video-player/trunk/admin/admin.php#L17
- https://plugins.trac.wordpress.org/browser/ultimate-youtube-video-player/trunk/admin/inc/handler/delsingvid.php#L8
- https://www.wordfence.com/threat-intel/vulnerabilities/id/30c99510-fd57-4268-8e35-6f7e6f912b7e?source=cve
