All-in-One Video Gallery 4.5.4 – 4.5.7 – Authenticated (Author+) Arbitrary...

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the resolve_import_directory() function in versions 4.5.4 to 4.5.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

AI Analysis

Arbitrary file upload vulnerability due to missing file type validation

Basic Information

ID CVE-2025-12966

Source Wordfence

Published Dec 6, 2025 at 09:25

Affected Product

Vendor plugins360

Product All-in-One Video Gallery

Version 4.5.4

Affected Versions plugins360 All-in-One Video Gallery 4.5.4

CWE Classification

CWE-434

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor plugins360

Product All-in-One Video Gallery

Version 4.5.4-4.5.7

References

{
    "lastseen": "",
    "description": "The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the resolve_import_directory() function in versions 4.5.4 to 4.5.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.",
    "published": "2025-12-06T09:25:57.785Z",
    "modified": "2025-12-06T09:25:57.785Z",
    "type": "cve",
    "title": "All-in-One Video Gallery 4.5.4 - 4.5.7 \u2013 Authenticated (Author+) Arbitrary File Upload via Import ZIP",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0b03bca1-84e3-4220-b39b-69044c42e9f9?source=cve\nhttps://plugins.trac.wordpress.org/changeset/3405593/all-in-one-video-gallery/trunk/admin/import-export.php",
    "id": "CVE-2025-12966",
    "bulletinFamily": "",
    "cwe": [
        "CWE-434"
    ],
    "cvelist": null,
    "sourceData": "plugins360 All-in-One Video Gallery 4.5.4",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "All-in-One Video Gallery",
    "version": "4.5.4",
    "vendor": "plugins360",
    "ai_description": "Arbitrary file upload vulnerability due to missing file type validation",
    "ai_severity": "High",
    "ai_vendor": "plugins360",
    "ai_product": "All-in-One Video Gallery",
    "ai_version": "4.5.4-4.5.7",
    "ai_score": 8.8
}

All-in-One Video Gallery 4.5.4 – 4.5.7 – Authenticated (Author+) Arbitrary File Upload via Import ZIP_CVE-2025-12966