Plugins360 All-In-One Video Gallery vulnerabilities
12 known vulnerabilities affecting plugins360/all-in-one_video_gallery.
Total CVEs
12
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
HIGH7MEDIUM5
Vulnerabilities
Page 1 of 1
CVE-2022-4974P2MEDIUMCVSS 6.3Exploitedfixed in 2.5.42024-10-16
CVE-2022-4974 [MEDIUM] CWE-862 CVE-2022-4974: The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cr
The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme runni
nvd
CVE-2022-2633P2HIGHCVSS 8.2PoC≥ 2.5.8, ≤ 2.6.02022-09-06
CVE-2022-2633 [HIGH] CWE-610 CVE-2022-2633: The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file downloads and blin
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file downloads and blind server-side request forgery via the 'dl' parameter found in the ~/public/video.php file in versions up to, and including 2.6.0. This makes it possible for unauthenticated users to download sensitive files hosted on the affected server and forge requests
nvd
CVE-2021-24970P3HIGHCVSS 7.2PoCfixed in 2.5.02021-12-13
CVE-2021-24970 [HIGH] CWE-22 CVE-2021-24970: The All-in-One Video Gallery WordPress plugin before 2.5.0 does not sanitise and validate the tab pa
The All-in-One Video Gallery WordPress plugin before 2.5.0 does not sanitise and validate the tab parameter before using it in a require statement in the admin dashboard, leading to a Local File Inclusion issue
nvd
CVE-2025-12957P2HIGHCVSS 8.8≤ 4.5.72026-01-16
CVE-2025-12957 [HIGH] CWE-434 CVE-2025-12957: The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all vers
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file. This makes it possible for authenticated attackers,
nvd
CVE-2025-12966P2HIGHCVSS 8.8≥ 4.5.4, ≤ 4.5.72025-12-06
CVE-2025-12966 [HIGH] CWE-434 CVE-2025-12966: The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to mis
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the resolve_import_directory() function in versions 4.5.4 to 4.5.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may ma
nvd
CVE-2024-4033P2HIGHCVSS 8.8≤ 3.6.42024-05-02
CVE-2024-4033 [HIGH] CWE-434 CVE-2024-4033: The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to mis
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the aiovg_create_attachment_from_external_image_url function in all versions up to, and including, 3.6.4. This makes it possible for authenticated attackers, with contributor access and above, to upload arbitrary files on the
nvd
CVE-2024-4670P3HIGHCVSS 8.8≤ 3.6.52024-05-15
CVE-2024-4670 [HIGH] CWE-98 CVE-2024-4670: The All-in-One Video Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versi
The All-in-One Video Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.5 via the aiovg_search_form shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code i
nvd
CVE-2024-31248P3HIGHCVSS 8.8fixed in 3.6.02024-06-09
CVE-2024-31248 [HIGH] CWE-862 CVE-2024-31248: Missing Authorization vulnerability in Team Plugins360 All-in-One Video Gallery.This issue affects A
Missing Authorization vulnerability in Team Plugins360 All-in-One Video Gallery.This issue affects All-in-One Video Gallery: from n/a through 3.5.2.
nvd
CVE-2025-14947P3MEDIUMCVSS 6.5≤ 4.6.42026-01-23
CVE-2025-14947 [MEDIUM] CWE-862 CVE-2025-14947: The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data
The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video` functions in all versions up to, and including, 4.6.4. This makes it possible fo
nvd
CVE-2025-15516P4MEDIUMCVSS 4.3≥ 4.1.0, ≤ 4.6.42026-01-24
CVE-2025-15516 [MEDIUM] CWE-862 CVE-2025-15516: The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data
The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_callback_store_user_meta() function in versions 4.1.0 to 4.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary string-based user meta keys
nvd
CVE-2026-1706P4MEDIUMCVSS 6.1≤ 4.7.12026-03-04
CVE-2026-1706 [MEDIUM] CWE-79 CVE-2026-1706: The All-in-One Video Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting vi
The All-in-One Video Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'vi' parameter in all versions up to, and including, 4.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successful
nvd
CVE-2024-6629P4MEDIUMCVSS 5.4fixed in 3.8.3≤ 3.7.12024-07-24
CVE-2024-6629 [MEDIUM] CWE-79 CVE-2024-6629: The All-in-One Video Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via t
The All-in-One Video Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Video shortcode in all versions up to, and including, 3.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, t
nvd