8.8
CVE-2025-12966
- EPSS 0.35%
- Veröffentlicht 06.12.2025 09:25:57
- Zuletzt bearbeitet 08.12.2025 18:26:49
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
All-in-One Video Gallery 4.5.4 - 4.5.7 – Authenticated (Author+) Arbitrary File Upload via Import ZIP
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the resolve_import_directory() function in versions 4.5.4 to 4.5.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Mögliche Gegenmaßnahme
All-in-One Video Gallery: Update to version 4.6.4, or a newer patched version
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginWeitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
All-in-One Video Gallery
Version
4.5.4-4.5.7
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellerplugins360
≫
Produkt
All-in-One Video Gallery
Default Statusunaffected
Version <=
4.5.7
Version
4.5.4
Status
affected
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.35% | 0.572 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@wordfence.com | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-434 Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.