AVideo < 20.0 ImageGallery Plugin Unauthenticated File Upload and Deletion

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

AVideo versions prior to 20.0 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images fail to enforce authentication checks and do not validate ownership, allowing unauthenticated attackers to upload or delete images associated with any image-based video.

AI Analysis

Unauthenticated file upload and deletion vulnerability in AVideo ImageGallery plugin

Basic Information

ID CVE-2025-34434

Source VulnCheck

Published Dec 17, 2025 at 19:49

Affected Product

Vendor World Wide Broadcast Network

Product AVideo

Affected Versions World Wide Broadcast Network AVideo 0

CWE Classification

CWE-306

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor World Wide Broadcast Network

Product AVideo

Version < 20.0

References

{
    "lastseen": "",
    "description": "AVideo versions prior to 20.0 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images fail to enforce authentication checks and do not validate ownership, allowing unauthenticated attackers to upload or delete images associated with any image-based video.",
    "published": "2025-12-17T19:49:56.335Z",
    "modified": "2025-12-17T19:49:56.335Z",
    "type": "cve",
    "title": "AVideo < 20.0 ImageGallery Plugin Unauthenticated File Upload and Deletion",
    "source": "VulnCheck",
    "references": "https://github.com/WWBN/AVideo/commit/4a53ab2056\nhttps://github.com/WWBN/AVideo/commit/c279999cbd\nhttps://www.vulncheck.com/advisories/avideo-imagegallery-plugin-unauthenticated-file-upload-and-deletion",
    "id": "CVE-2025-34434",
    "bulletinFamily": "",
    "cwe": [
        "CWE-306"
    ],
    "cvelist": null,
    "sourceData": "World Wide Broadcast Network AVideo 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "AVideo",
    "version": "0",
    "vendor": "World Wide Broadcast Network",
    "ai_description": "Unauthenticated file upload and deletion vulnerability in AVideo ImageGallery plugin",
    "ai_severity": "Critical",
    "ai_vendor": "World Wide Broadcast Network",
    "ai_product": "AVideo",
    "ai_version": "< 20.0",
    "ai_score": 9.3
}

AVideo < 20.0 ImageGallery Plugin Unauthenticated File Upload and Deletion_CVE-2025-34434