CVE-2025-12966 HIGH

CVE-2025-12966: All-in-One Video Gallery 4.5.4 - 4.5.7 – Authenticated (Author+) Arbitrary File Upload via Import ZIP

Vendor Plugins360
Product All-in-One Video Gallery
Weakness CWE-434 · Unrestricted file upload
Published December 6, 2025
Last update December 8, 2025

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the resolve_import_directory() function in versions 4.5.4 to 4.5.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Explanation of Vulnerability in Simple Terms

02Summary

All-in-One Video Gallery versions 4.5.4 through 4.5.7 allow authenticated users to upload files without proper validation. An attacker with low-level account access can upload malicious files, including executable code, to the site. This can lead to unauthorized access, data theft, or site takeover.

What an attacker can do

03Attacker Capabilities

Upload and execute malicious files on the site with a low-privilege account.

Potential impact on your site

04Site Impact

Compromised site integrity, potential data breach, and loss of control over the site's functionality.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site; no user interaction required.

Key dates

06Disclosure timeline

December 6, 2025 CVE published
December 8, 2025 Record updated