What the vulnerability does
01Description
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the resolve_import_directory() function in versions 4.5.4 to 4.5.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Explanation of Vulnerability in Simple Terms
02Summary
All-in-One Video Gallery versions 4.5.4 through 4.5.7 allow authenticated users to upload files without proper validation. An attacker with low-level account access can upload malicious files, including executable code, to the site. This can lead to unauthorized access, data theft, or site takeover.
What an attacker can do
03Attacker Capabilities
Upload and execute malicious files on the site with a low-privilege account.
Potential impact on your site
04Site Impact
Compromised site integrity, potential data breach, and loss of control over the site's functionality.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account on the site; no user interaction required.
Key dates
06Disclosure timeline
December 6, 2025
CVE published
December 8, 2025
Record updated