Executive Summary

The vulnerability in the All-in-One Video Gallery WordPress plugin (up to version 4.6.4) allows unauthenticated attackers to create and delete videos on the Bunny Stream CDN linked to the victim's account. This happens because certain AJAX callback functions (`ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video`) lack proper capability checks. Attackers can exploit this if they obtain a valid nonce exposed in public player templates, enabling unauthorized video management on Bunny Stream without authentication. [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers to manipulate your Bunny Stream video content without authorization. Specifically, attackers can create unauthorized videos or delete existing ones on your Bunny Stream CDN account, potentially disrupting your video content availability, damaging your brand reputation, or causing denial of service for your users relying on those videos. Since the attacker needs a valid nonce exposed publicly, the risk is significant if such nonces are accessible. [1, 2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized AJAX requests targeting the vulnerable plugin's Bunny Stream AJAX endpoints, specifically the functions `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video`. Since these endpoints require a valid nonce which is exposed in public player templates, an attacker might exploit these by sending POST or DELETE requests to URLs like `/wp-admin/admin-ajax.php` with action parameters related to Bunny Stream video creation or deletion. To detect exploitation attempts, you can search your web server logs for suspicious AJAX requests to admin-ajax.php with these actions from unauthenticated IPs. Example commands to detect such activity include using grep on access logs: `grep 'admin-ajax.php' /var/log/apache2/access.log | grep -E 'create_bunny_stream_video|delete_bunny_stream_video'` or using network monitoring tools to detect unusual POST or DELETE requests to these endpoints. Additionally, checking for unexpected video creations or deletions in the Bunny Stream CDN associated with your account can indicate exploitation. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include updating the All-in-One Video Gallery WordPress plugin to version 4.7.1 or later, where the vulnerability has been fixed by adding proper authorization checks to the Bunny Stream AJAX callbacks. If updating immediately is not possible, restrict access to the vulnerable AJAX endpoints by limiting access to authenticated and authorized users only, for example by applying web application firewall (WAF) rules or restricting access to `admin-ajax.php` for these specific actions. Additionally, monitor and revoke any suspicious Bunny Stream API credentials and review your Bunny Stream CDN for unauthorized video creations or deletions. Applying principle of least privilege to user roles and capabilities related to the plugin can also reduce risk. [2]

Useful 0 Not Useful 0