8.8
CVE-2025-12957
- EPSS 0.05%
- Veröffentlicht 16.01.2026 04:44:35
- Zuletzt bearbeitet 16.01.2026 15:55:12
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
All-in-One Video Gallery <= 4.5.7 - Authenticated (Author+) Arbitrary File Upload via VTT Upload Bypass
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Mögliche Gegenmaßnahme
All-in-One Video Gallery: Update to version 4.6.4, or a newer patched version
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginWeitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
All-in-One Video Gallery
Version
*-4.5.7
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellerplugins360
≫
Produkt
All-in-One Video Gallery
Default Statusunaffected
Version <=
4.5.7
Version
*
Status
affected
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.05% | 0.138 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@wordfence.com | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-434 Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.