All-in-One Video Gallery Security Vulnerabilities
The All-in-One Video Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.5 via the aiovg_search_form shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary...
8.8CVSS
7.6AI Score
0.001EPSS
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the aiovg_create_attachment_from_external_image_url function in all versions up to, and including, 3.6.4. This makes it possible for authenticated attackers, with...
8.8CVSS
8.2AI Score
0.001EPSS
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file downloads and blind server-side request forgery via the 'dl' parameter found in the ~/public/video.php file in versions up to, and including 2.6.0. This makes it possible for unauthenticated users to download...
8.2CVSS
8.2AI Score
0.029EPSS
The All-in-One Video Gallery WordPress plugin before 2.5.0 does not sanitise and validate the tab parameter before using it in a require statement in the admin dashboard, leading to a Local File Inclusion...
7.2CVSS
6.8AI Score
0.03EPSS