CVE-2025-14947
Unauthorized Data Modification in All-in-One Video Gallery Plugin
Publication date: 2026-01-23
Last updated on: 2026-01-23
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_media | all-in-one_video_gallery | to 4.6.4 (inc) |
| wp_media | all-in-one_video_gallery | 4.7.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the All-in-One Video Gallery WordPress plugin (up to version 4.6.4) allows unauthenticated attackers to create and delete videos on the Bunny Stream CDN linked to the victim's account. This happens because certain AJAX callback functions (`ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video`) lack proper capability checks. Attackers can exploit this if they obtain a valid nonce exposed in public player templates, enabling unauthorized video management on Bunny Stream without authentication. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to manipulate your Bunny Stream video content without authorization. Specifically, attackers can create unauthorized videos or delete existing ones on your Bunny Stream CDN account, potentially disrupting your video content availability, damaging your brand reputation, or causing denial of service for your users relying on those videos. Since the attacker needs a valid nonce exposed publicly, the risk is significant if such nonces are accessible. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized AJAX requests targeting the vulnerable plugin's Bunny Stream AJAX endpoints, specifically the functions `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video`. Since these endpoints require a valid nonce which is exposed in public player templates, an attacker might exploit these by sending POST or DELETE requests to URLs like `/wp-admin/admin-ajax.php` with action parameters related to Bunny Stream video creation or deletion. To detect exploitation attempts, you can search your web server logs for suspicious AJAX requests to admin-ajax.php with these actions from unauthenticated IPs. Example commands to detect such activity include using grep on access logs: `grep 'admin-ajax.php' /var/log/apache2/access.log | grep -E 'create_bunny_stream_video|delete_bunny_stream_video'` or using network monitoring tools to detect unusual POST or DELETE requests to these endpoints. Additionally, checking for unexpected video creations or deletions in the Bunny Stream CDN associated with your account can indicate exploitation. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the All-in-One Video Gallery WordPress plugin to version 4.7.1 or later, where the vulnerability has been fixed by adding proper authorization checks to the Bunny Stream AJAX callbacks. If updating immediately is not possible, restrict access to the vulnerable AJAX endpoints by limiting access to authenticated and authorized users only, for example by applying web application firewall (WAF) rules or restricting access to `admin-ajax.php` for these specific actions. Additionally, monitor and revoke any suspicious Bunny Stream API credentials and review your Bunny Stream CDN for unauthorized video creations or deletions. Applying principle of least privilege to user roles and capabilities related to the plugin can also reduce risk. [2]