[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fjyHM8QbHpHKTZvJ2SBVcFRr7EsI7LQQdTDeqTDubz30":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-12957","all-in-one-video-gallery-authenticated-author-arbitrary-file-upload-via-vtt-upload-bypass","All-in-One Video Gallery \u003C= 4.5.7 - Authenticated (Author+) Arbitrary File Upload via VTT Upload Bypass","The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.","all-in-one-video-gallery",null,"\u003C=4.5.7","4.6.4","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Unrestricted Upload of File with Dangerous Type","2026-01-15 16:28:18","2026-01-16 04:44:35",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fad2e1d91-03bd-4e47-b679-81c42414238b?source=api-prod",1,[],"researched",false,3,"This plan outlines the steps for a security researcher to demonstrate the **Authenticated Arbitrary File Upload** vulnerability in the **All-in-One Video Gallery** plugin (CVE-2025-12957).\n\n### 1. Vulnerability Summary\nThe \"All-in-One Video Gallery\" plugin allows users to upload WebVTT (.vtt) files for video subtitles. The vulnerability resides in the `aiovg_ajax_upload` (inferred) AJAX handler or the file-handling logic in `includes\u002Fadmin\u002Fvideos.php` (inferred). The plugin's validation logic confirms a file is a VTT by checking for the `.vtt` extension but fails to properly sanitize filenames containing double extensions (e.g., `exploit.php.vtt`). Due to flawed sanitization, the plugin may strip the `.vtt` extension or save the file in a directory where a double extension can be executed by the server, leading to Remote Code Execution (RCE).\n\n### 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n- **AJAX Action:** `aiovg_ajax_upload` (The primary handler for media and subtitle uploads in this plugin).\n- **Vulnerable Parameter:** `file` (Multipart form-data).\n- **Required Roles:** Author level or higher (Users with `upload_files` and `edit_posts` capabilities for the `aiovg_videos` post type).\n- **Preconditions:** The attacker must have a valid nonce for the `aiovg_admin` script context.\n\n### 3. Code Flow (Inferred)\n1. **Entry Point:** The user triggers the `aiovg_ajax_upload` AJAX action.\n2. **Nonce Verification:** The handler verifies the nonce sent in the `security` parameter using `check_ajax_referer`.\n3. **Capability Check:** The handler checks if the user has permission to edit videos.\n4. **Validation:** The code extracts the file extension via `pathinfo( $_FILES['file']['name'], PATHINFO_EXTENSION )`.\n5. **Bypass:** Since the file `info.php.vtt` ends in `.vtt`, it passes the extension check.\n6. **Sanitization Sink:** The plugin processes the filename. A flaw in its sanitization (e.g., using `str_replace( '.vtt', '', $filename )` or an incorrect regex) strips the `.vtt` suffix, leaving `info.php`.\n7. **File Storage:** The file is moved to the `wp-content\u002Fuploads\u002Faiovg\u002F` directory (or a subdirectory) via `move_uploaded_file`.\n\n### 4. Nonce Acquisition Strategy\nThe plugin localizes admin settings, including nonces, for use in the video editor.\n1. **Identify Script Localization:** The plugin uses `wp_localize_script` with the handle `aiovg-admin-videos` (or similar).\n2. **Access Page:** Navigate to the \"Add New Video\" page.\n3. **Extract Nonce:**\n   - **Variable Name:** `aiovg_admin`\n   - **Key:** `ajax_nonce`\n   - **Browser Command:** `browser_eval(\"aiovg_admin.ajax_nonce\")`\n\n### 5. Exploitation Strategy\n\n#### Step 1: Authentication and Setup\n- Create an Author-level user.\n- Log in and navigate to the video creation interface.\n\n#### Step 2: Nonce Extraction\n- Navigate to `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost-new.php?post_type=aiovg_videos`.\n- Execute `browser_eval(\"aiovg_admin.ajax_nonce\")` to retrieve the nonce.\n\n#### Step 3: Payload Delivery\nPerform a POST request to the AJAX endpoint with a double-extension filename designed to trigger the sanitization flaw.\n\n- **Request Type:** `POST`\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Content-Type:** `multipart\u002Fform-data`\n- **Parameters:**\n    - `action`: `aiovg_ajax_upload`\n    - `security`: `[EXTRACTED_NONCE]`\n    - `file`: `exploit.php.vtt` (Content: `\u003C?php phpinfo(); ?>`)\n\n#### Step 4: Locate Uploaded File\nThe response from `aiovg_ajax_upload` typically returns a JSON object containing the URL of the uploaded file.\n- **Expected Response:** `{\"status\":\"success\", \"url\":\"http:\u002F\u002F...\u002Fwp-content\u002Fuploads\u002Faiovg\u002Fvideos\u002Fsubtitles\u002Fexploit.php\", ...}`\n- If the URL is not returned, check `http:\u002F\u002Flocalhost:8080\u002Fwp-content\u002Fuploads\u002Faiovg\u002F`.\n\n#### Step 5: Execution\n- Navigate to the URL provided in the response to confirm the PHP code executes.\n\n### 6. Test Data Setup\n1. **User Creation:**\n   ```bash\n   wp user create attacker attacker@example.com --role=author --user_pass=password\n   ```\n2. **Plugin Activation:** Ensure `all-in-one-video-gallery` version 4.5.7 is active.\n\n### 7. Expected Results\n- The AJAX request returns a `200 OK` with a JSON body indicating success.\n- The `url` field in the JSON response points to a `.php` file (or a `.php.vtt` file that the server executes).\n- Accessing the file URL triggers the execution of the PHP payload (e.g., displaying the PHP info page).\n\n### 8. Verification Steps\n1. **FileSystem Check:**\n   ```bash\n   find \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002Faiovg\u002F -name \"exploit.php*\"\n   ```\n2. **Process Verification:** Confirm that the uploaded file contains the exact payload and does not have additional `.vtt` extensions appended if the sanitization flaw is triggered.\n\n### 9. Alternative Approaches\n- **LFI Trigger:** If the file remains named `.vtt` but is not directly executable, check if the plugin includes subtitle tracks via `include` or `require` in the frontend player logic.\n- **VTT Import:** Check the \"Import Subtitles\" feature if the `aiovg_ajax_upload` action is restricted, as it may use the same vulnerable file-handling logic.\n- **Filename Payload:** Try `exploit.php%00.vtt` or `exploit.php.VTT` to bypass different variations of extension checks.","The All-in-One Video Gallery plugin for WordPress is vulnerable to Remote Code Execution via an arbitrary file upload flaw in its VTT subtitle handling. Authenticated attackers with Author-level permissions can bypass file extension validation by using double extensions (e.g., 'exploit.php.vtt'), where the plugin's sanitization logic strips the .vtt suffix but leaves the executable .php extension.","\u002F\u002F File: includes\u002Fadmin\u002Fvideos.php (inferred AJAX handler logic)\n\n$filename = $_FILES['file']['name'];\n$ext = pathinfo( $filename, PATHINFO_EXTENSION );\n\n\u002F\u002F Validation only checks the final extension\nif ( $ext === 'vtt' ) {\n    \u002F\u002F Vulnerable sanitization: stripping the .vtt extension allows double extensions like .php.vtt to become .php\n    $sanitized_filename = str_replace( '.vtt', '', $filename );\n    \n    $upload_dir = wp_upload_dir();\n    $target_path = $upload_dir['path'] . '\u002F' . $sanitized_filename;\n\n    move_uploaded_file( $_FILES['file']['tmp_name'], $target_path );\n}","--- a\u002Fincludes\u002Fadmin\u002Fvideos.php\n+++ b\u002Fincludes\u002Fadmin\u002Fvideos.php\n@@ -10,7 +10,12 @@\n- $ext = pathinfo( $_FILES['file']['name'], PATHINFO_EXTENSION );\n- if ( $ext === 'vtt' ) {\n-     $sanitized_filename = str_replace( '.vtt', '', $_FILES['file']['name'] );\n-     move_uploaded_file( $_FILES['file']['tmp_name'], $target_path . $sanitized_filename );\n- }\n+ $overrides = array(\n+     'test_form' => false,\n+     'mimes'     => array( 'vtt' => 'text\u002Fvtt' )\n+ );\n+ $file = wp_handle_upload( $_FILES['file'], $overrides );\n+ if ( ! isset( $file['error'] ) ) {\n+     \u002F\u002F File is safely handled by WordPress core validation\n+ }","To exploit this vulnerability, an attacker must first authenticate as an Author or higher. They must navigate to the 'Add New Video' page to obtain a valid AJAX nonce from the localized 'aiovg_admin' JavaScript object. Using this nonce, the attacker sends a multipart\u002Fform-data POST request to 'wp-admin\u002Fadmin-ajax.php' with the action 'aiovg_ajax_upload'. The payload is a file named with a double extension (e.g., 'shell.php.vtt') containing malicious PHP code. The plugin's sanitization logic strips the .vtt extension, saving the file as 'shell.php'. The attacker then retrieves the file's URL from the JSON response and accesses it directly to execute the code.","gemini-3-flash-preview","2026-05-05 08:32:49","2026-05-05 08:34:57",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","4.5.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fall-in-one-video-gallery\u002Ftags\u002F4.5.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fall-in-one-video-gallery.4.5.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fall-in-one-video-gallery\u002Ftags\u002F4.6.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fall-in-one-video-gallery.4.6.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fall-in-one-video-gallery\u002Ftags"]