Does All-in-One Video Gallery have any unpatched vulnerabilities?

No. All known vulnerabilities in All-in-One Video Gallery have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is All-in-One Video Gallery compatible with WordPress 6.9.4?

According to WordPress.org data, All-in-One Video Gallery 4.7.5 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is All-in-One Video Gallery compatible with PHP 5.6.20+?

All-in-One Video Gallery requires PHP 5.6.20 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is All-in-One Video Gallery updated?

All-in-One Video Gallery was last updated on Feb 25, 2026. Frequent updates are generally a positive security signal.

What is All-in-One Video Gallery's security score?

All-in-One Video Gallery has a WP-Safety security score of 88/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

All-in-One Video Gallery Security & Risk Analysis

wordpress.org/plugins/all-in-one-video-gallery

The ultimate video player & video gallery plugin for YouTubers, Video Bloggers, Course Creators, Podcasters, and anyone embedding videos on websites.

20K active installs v4.7.5 PHP 5.6.20+ WP 6.3+ Updated Feb 25, 2026

live-streamvideo-galleryvideo-playervimeo-galleryyoutube-gallery

A · Safe

CVEs total11

Unpatched0

Last CVEMar 3, 2026

Plugin page Download

Safety Verdict

Is All-in-One Video Gallery Safe to Use in 2026?

Generally Safe

Score 88/100

All-in-One Video Gallery has a strong security track record. Known vulnerabilities have been patched promptly.

11 known CVEsLast CVE: Mar 3, 2026Updated 1mo ago

Risk Assessment

The "all-in-one-video-gallery" plugin v4.7.5 presents a mixed security posture. While it demonstrates good practices in SQL query sanitization and a high percentage of properly escaped output, significant concerns arise from its attack surface. A substantial number of AJAX handlers (23 out of 24) lack proper authorization checks, creating a wide entry point for potential privilege escalation or unauthorized actions. Furthermore, the taint analysis, while not revealing critical or high severity issues in this scan, did identify flows with unsanitized paths, indicating a potential for path traversal vulnerabilities if these flows are triggered by user input.

The plugin's historical vulnerability data is a major red flag. A total of 11 known CVEs, with 6 high and 5 medium severity, suggests a pattern of recurring security weaknesses. The common vulnerability types listed (XSS, Missing Authorization, Unrestricted Upload, Path Traversal, PHP Remote File Inclusion) are all severe and can lead to complete site compromise. The fact that there are currently no unpatched CVEs is a positive, but the sheer volume and nature of past vulnerabilities point to a plugin that has historically been a target and may have underlying architectural issues that are difficult to fully remediate. The last vulnerability being in 2026 is likely a typo and should be treated with caution.

In conclusion, despite some positive technical indicators like prepared SQL statements and good output escaping, the substantial number of unprotected AJAX endpoints and the plugin's extensive history of high and medium severity vulnerabilities necessitate a cautious approach. Users should be aware of the potential risks associated with the broad attack surface and the historical pattern of exploitable flaws, even if the current version appears to have addressed past issues.

Key Concerns

Large attack surface without auth checks (AJAX)
Unsanitized paths in taint analysis
History of 6 High severity CVEs
History of 5 Medium severity CVEs
Missing authorization on 23 AJAX handlers
Bundled outdated library (Freemius v1.0)

Vulnerabilities

All-in-One Video Gallery Security Vulnerabilities

CVEs by Year

1 CVE in 2021

2021

1 CVE in 2022

2022

4 CVEs in 2024

2024

1 CVE in 2025

2025

4 CVEs in 2026

2026

Patched Has unpatched

Severity Breakdown

High

Medium

11 total CVEs

CVE-2026-1706medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

All-in-One Video Gallery <= 4.7.1 - Reflected Cross-Site Scripting via 'vi' Parameter

Mar 3, 2026 Patched in 4.7.5 (1d)

CVE-2025-15516medium · 4.3Missing Authorization

All-in-One Video Gallery 4.1.0 - 4.6.4 - Missing Authorization to Authenticated (Subscriber+) Limited User Meta Update

Jan 23, 2026 Patched in 4.7.1 (1d)

CVE-2025-14947medium · 6.5Missing Authorization

All-in-One Video Gallery <= 4.6.4 - Missing Authorization to Unauthenticated Bunny Stream Video Creation/Deletion

Jan 22, 2026 Patched in 4.7.1 (2d)

CVE-2025-12957high · 8.8Unrestricted Upload of File with Dangerous Type

All-in-One Video Gallery <= 4.5.7 - Authenticated (Author+) Arbitrary File Upload via VTT Upload Bypass

Jan 15, 2026 Patched in 4.6.4 (1d)

CVE-2025-12966high · 8.8Unrestricted Upload of File with Dangerous Type

All-in-One Video Gallery 4.5.4 - 4.5.7 – Authenticated (Author+) Arbitrary File Upload via Import ZIP

Dec 5, 2025 Patched in 4.6.4 (1d)

CVE-2024-6629medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

All-in-One Video Gallery <= 3.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Video Shortcode

Jul 23, 2024 Patched in 3.8.3 (1d)

CVE-2024-4670high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

All-in-One Video Gallery <= 3.6.5 - Authenticated (Contributor+) Local File Inclusion via aiovg_search_form Shortcode

May 14, 2024 Patched in 3.7.0 (2d)

CVE-2024-4033high · 8.8Unrestricted Upload of File with Dangerous Type

All-in-One Video Gallery <= 3.6.4 - Authenticated (Contributor+) Arbitrary File Upload via featured image

May 1, 2024 Patched in 3.6.5 (2d)

CVE-2024-31248medium · 4.3Missing Authorization

All-in-One Video Gallery <= 3.5.2 - Missing Authorization

Apr 5, 2024 Patched in 3.6.0 (6d)

CVE-2022-2633high · 7.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

All-in-One Video Gallery 2.5.8 - 2.6.0 - Arbitrary File Download & Server-Side Request Forgery

Aug 17, 2022 Patched in 2.6.1 (524d)

CVE-2021-24970high · 7.2Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

All-In-One-Gallery <= 2.4.9 - Admin+ Local File Inclusion

Nov 15, 2021 Patched in 2.5.0 (799d)

Code Analysis

Analyzed Mar 16, 2026

All-in-One Video Gallery Code Analysis

Dangerous Functions

Raw SQL Queries

20 prepared

Unescaped Output

110

1125 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Freemius1.0

SQL Query Safety

100% prepared20 total queries

Output Escaping

91% escaped1235 total outputs

Data Flows

9 unsanitized

Data Flow Analysis

13 flows9 with unsanitized paths

save_meta_data (admin\videos.php:221)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

23 unprotected

All-in-One Video Gallery Attack Surface

Entry Points36

Unprotected23

AJAX Handlers 24

authwp_ajax_aiovg_store_user_metaincludes\init.php:173

authwp_ajax_aiovg_import_folderincludes\init.php:242

authwp_ajax_aiovg_import_csvincludes\init.php:243

authwp_ajax_aiovg_get_csv_columnsincludes\init.php:244

authwp_ajax_aiovg_export_csvincludes\init.php:245

authwp_ajax_aiovg_export_zipincludes\init.php:246

authwp_ajax_aiovg_set_cookieincludes\init.php:274

noprivwp_ajax_aiovg_set_cookieincludes\init.php:275

authwp_ajax_aiovg_load_categoriesincludes\init.php:317

noprivwp_ajax_aiovg_load_categoriesincludes\init.php:318

authwp_ajax_aiovg_load_videosincludes\init.php:323

noprivwp_ajax_aiovg_load_videosincludes\init.php:324

authwp_ajax_aiovg_update_views_countincludes\init.php:330

noprivwp_ajax_aiovg_update_views_countincludes\init.php:331

authwp_ajax_aiovg_get_likes_dislikes_infoincludes\init.php:352

noprivwp_ajax_aiovg_get_likes_dislikes_infoincludes\init.php:353

authwp_ajax_aiovg_toggle_likesincludes\init.php:354

noprivwp_ajax_aiovg_toggle_likesincludes\init.php:355

authwp_ajax_aiovg_toggle_dislikesincludes\init.php:356

noprivwp_ajax_aiovg_toggle_dislikesincludes\init.php:357

authwp_ajax_aiovg_create_bunny_stream_videoincludes\init.php:376

authwp_ajax_aiovg_get_bunny_stream_videoincludes\init.php:377

authwp_ajax_aiovg_delete_bunny_stream_videoincludes\init.php:378

authwp_ajax_aiovg_autocomplete_get_videoswidgets\video.php:48

Shortcodes 12

[aiovg_categories] public\categories.php:40

[aiovg_like_button] public\likes.php:31

[aiovg_search_form] public\search.php:31

[aiovg_video] public\video.php:31

[aiovg_videos] public\videos.php:40

[aiovg_category] public\videos.php:41

[aiovg_tag] public\videos.php:42

[aiovg_search] public\videos.php:43

[aiovg_related_videos] public\videos.php:44

[aiovg_user_videos] public\videos.php:45

[aiovg_liked_videos] public\videos.php:46

[aiovg_disliked_videos] public\videos.php:47

WordPress Hooks 126

filterwp_kses_allowed_htmladmin\import-export.php:619

filterwp_kses_allowed_htmladmin\import-export.php:1796

filterwp_kses_allowed_htmladmin\import-export.php:2048

filterwp_kses_allowed_htmladmin\videos.php:363

actionafter_uninstallall-in-one-video-gallery.php:150

actionwp_footerincludes\helpers\functions.php:43

actionplugins_loadedincludes\init.php:150

actionadmin_initincludes\init.php:164

actionadmin_initincludes\init.php:165

actionadmin_menuincludes\init.php:166

actionadmin_enqueue_scriptsincludes\init.php:167

actionadmin_enqueue_scriptsincludes\init.php:168

actionelementor/editor/after_enqueue_stylesincludes\init.php:169

actionelementor/editor/after_enqueue_scriptsincludes\init.php:170

actionupdated_optionincludes\init.php:171

actionsave_post_pageincludes\init.php:172

filterdisplay_post_statesincludes\init.php:175

filterupload_mimesincludes\init.php:177

filterwp_check_filetype_and_extincludes\init.php:178

filterwp_handle_upload_prefilterincludes\init.php:179

actionadmin_menuincludes\init.php:184

actioninitincludes\init.php:185

actionbefore_delete_postincludes\init.php:186

actionpost_submitbox_misc_actionsincludes\init.php:189

actionadd_meta_boxesincludes\init.php:190

actionsave_postincludes\init.php:191

actionrestrict_manage_postsincludes\init.php:192

actionmanage_aiovg_videos_posts_custom_columnincludes\init.php:193

actionadmin_print_footer_scriptsincludes\init.php:194

filterparent_fileincludes\init.php:196

filterparse_queryincludes\init.php:197

filterpost_row_actionsincludes\init.php:198

filtermanage_edit-aiovg_videos_columnsincludes\init.php:199

filtermanage_edit-aiovg_videos_sortable_columnsincludes\init.php:200

filteruse_block_editor_for_post_typeincludes\init.php:201

filtergutenberg_can_edit_post_typeincludes\init.php:202

actionadmin_menuincludes\init.php:208

actioninitincludes\init.php:209

actionaiovg_categories_add_form_fieldsincludes\init.php:210

actionaiovg_categories_edit_form_fieldsincludes\init.php:211

actioncreated_aiovg_categoriesincludes\init.php:212

actionedited_aiovg_categoriesincludes\init.php:213

actionpre_delete_termincludes\init.php:214

filterparent_fileincludes\init.php:216

filtermanage_edit-aiovg_categories_columnsincludes\init.php:217

filtermanage_edit-aiovg_categories_sortable_columnsincludes\init.php:218

filtermanage_aiovg_categories_custom_columnincludes\init.php:219

actionadmin_menuincludes\init.php:224

actioninitincludes\init.php:225

filterparent_fileincludes\init.php:227

filtermanage_edit-aiovg_tags_columnsincludes\init.php:228

filtermanage_edit-aiovg_tags_sortable_columnsincludes\init.php:229

filtermanage_aiovg_tags_custom_columnincludes\init.php:230

actionadmin_menuincludes\init.php:235

actionadmin_initincludes\init.php:236

actionadmin_menuincludes\init.php:241

actionaiovg_cleanup_export_directoryincludes\init.php:247

actiontemplate_redirectincludes\init.php:261

actioninitincludes\init.php:262

actioninitincludes\init.php:263

actioninitincludes\init.php:264

actionwp_enqueue_scriptsincludes\init.php:265

actionaiovg_enqueue_block_editor_assetsincludes\init.php:266

actionelementor/editor/after_enqueue_scriptsincludes\init.php:267

actionelementor/preview/enqueue_scriptsincludes\init.php:268

actionquery_varsincludes\init.php:269

actionwpincludes\init.php:270

actionwp_loadedincludes\init.php:271

actionwp_headincludes\init.php:272

actionwp_print_footer_scriptsincludes\init.php:273

filterwp_titleincludes\init.php:278

filterdocument_title_partsincludes\init.php:279

filterthe_titleincludes\init.php:282

filtersingle_post_titleincludes\init.php:283

filterhas_post_thumbnailincludes\init.php:284

filterpost_thumbnail_htmlincludes\init.php:285

filterterm_linkincludes\init.php:286

filterwpseo_titleincludes\init.php:291

filterwpseo_opengraph_titleincludes\init.php:292

filterwpseo_metadescincludes\init.php:293

filterwpseo_opengraph_descincludes\init.php:294

filterwpseo_canonicalincludes\init.php:295

filterwpseo_opengraph_urlincludes\init.php:296

filterwpseo_opengraph_imageincludes\init.php:297

filterwpseo_twitter_imageincludes\init.php:298

filterwpseo_breadcrumb_linksincludes\init.php:299

filterwpseo_video_custom_field_detailsincludes\init.php:300

filterwpseo_video_youtube_detailsincludes\init.php:301

filterwpseo_video_vimeo_detailsincludes\init.php:302

filterrank_math/frontend/titleincludes\init.php:307

filterrank_math/frontend/descriptionincludes\init.php:308

filterrank_math/frontend/canonicalincludes\init.php:309

filterrank_math/opengraph/facebook/imageincludes\init.php:310

filterrank_math/opengraph/twitter/imageincludes\init.php:311

filterrank_math/frontend/breadcrumb/itemsincludes\init.php:312

actioninitincludes\init.php:329

filtertemplate_includeincludes\init.php:333

filtershow_admin_barincludes\init.php:334

filteraiovg_iframe_videojs_player_sourcesincludes\init.php:335

filteraiovg_iframe_vidstack_player_sourcesincludes\init.php:336

filteraiovg_videojs_player_sourcesincludes\init.php:337

filteraiovg_vidstack_player_sourcesincludes\init.php:338

filteraiovg_the_contentincludes\init.php:339

filterthe_contentincludes\init.php:340

filtercomments_openincludes\init.php:341

actioninitincludes\init.php:364

filteroption_aiovg_page_settingsincludes\init.php:365

actionsave_postincludes\init.php:372

actionaiovg_save_videoincludes\init.php:375

actionbefore_delete_postincludes\init.php:379

filteraiovg_get_imageincludes\init.php:381

filteraiovg_iframe_videojs_player_sourcesincludes\init.php:382

filteraiovg_iframe_vidstack_player_sourcesincludes\init.php:383

filteraiovg_videojs_player_sourcesincludes\init.php:384

filteraiovg_vidstack_player_sourcesincludes\init.php:385

filterautoptimize_filter_noptimizeincludes\init.php:390

filtersmush_skip_iframe_from_lazy_loadincludes\init.php:391

filterrank_math/snippet/rich_snippet_videoobject_entityincludes\init.php:392

actioninitincludes\init.php:411

actionenqueue_block_editor_assetsincludes\init.php:412

filterblock_categories_allincludes\init.php:415

filterblock_categoriesincludes\init.php:417

actionwidgets_initincludes\init.php:428

filtermap_meta_capincludes\init.php:451

filterposts_orderbypublic\videos.php:700

filterposts_orderbywidgets\videos.php:267

Scheduled Events 1

aiovg_cleanup_export_directory

Maintenance & Trust

All-in-One Video Gallery Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 25, 2026

PHP min version5.6.20

Downloads808K

Community Trust

Rating96/100

Number of ratings132

Active installs20K

Alternatives

All-in-One Video Gallery Alternatives

Video Gallery YouTube Vimeo

new-video-gallery

Create responsive YouTube and Vimeo video galleries with custom layouts, lightbox display, and easy shortcode embedding.

1K 1 CVE

Embed Plus for YouTube Gallery, Livestream and Lazy Loading with Facades

youtube-embed-plus

100

A multi-featured plugin to embed YouTube in WordPress. Embed a video, YouTube channel gallery, playlist, or YouTube livestream. Defer JavaScript too!

100K 1 CVE

Videopack

video-embed-thumbnail-generator

Makes video thumbnails, allows resolution switching, and embeds responsive self-hosted videos and galleries.

10K 4 CVEs

Video Gallery – Vimeo and YouTube Gallery

smart-grid-gallery

Build your utmost YouTube Gallery right away with Our Video Gallery plugin.

7K 1 unpatched

Vimeography: Vimeo Video Gallery WordPress Plugin

vimeography

The easiest way to create beautiful Vimeo video galleries on your WordPress site.

6K 3 CVEs

Developer Profile

All-in-One Video Gallery Developer Profile

Plugins360 Labs

3 plugins · 29K total installs

trust score

Avg Security Score

91/100

Avg Patch Time

123 days

View full developer profile

Detection Fingerprints

How We Detect All-in-One Video Gallery

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/all-in-one-video-gallery/public/assets/css/all-in-one-video-gallery.css/wp-content/plugins/all-in-one-video-gallery/public/assets/js/all-in-one-video-gallery.js

Script Paths

/wp-content/plugins/all-in-one-video-gallery/public/assets/js/all-in-one-video-gallery.js

Version Parameters

all-in-one-video-gallery/public/assets/css/all-in-one-video-gallery.css?ver=all-in-one-video-gallery/public/assets/js/all-in-one-video-gallery.js?ver=

HTML / DOM Fingerprints

CSS Classes

aiovg-gallery-container

HTML Comments

Data Attributes

data-aiovg-gallery-iddata-aiovg-playlist-id

JS Globals

AIOVG_GLOBAL_SETTINGSaiovg_settings

REST Endpoints

/wp-json/aiovg/v1/gallery

Shortcode Output

[all_in_one_video_gallery]

FAQ