Vulnerabilities and security researches forall-in-one-video-gallery all-in-one-video-gallery

Jun 07, 2024

CVE, Research URL: CVE-2021-24970
Home page URL: Security reports for All-in-One Video Gallery
Application: All-in-One Video Gallery
Date: Dec 13, 2021
Research Description: The All-in-One Video Gallery WordPress plugin before 2.5.0 does not sanitise and validate the tab parameter before using it in a require statement in the admin dashboard, leading to a Local File Inclusion issue
Affected versions: max 2.5.4.
Status: vulnerable

CVE, Research URL: CVE-2022-2633
Home page URL: Security reports for All-in-One Video Gallery
Application: All-in-One Video Gallery
Date: Sep 06, 2022
Research Description: The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file downloads and blind server-side request forgery via the 'dl' parameter found in the ~/public/video.php file in versions up to, and including 2.6.0. This makes it possible for unauthenticated users to download sensitive files hosted on the affected server and forge requests to the server.
Affected versions: max 3.4.3.
Status: vulnerable

CVE, Research URL: CVE-2024-4670
Home page URL: Security reports for All-in-One Video Gallery
Application: All-in-One Video Gallery
Date: May 15, 2024
Research Description: The All-in-One Video Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.5 via the aiovg_search_form shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Affected versions: max 3.7.0.
Status: vulnerable

CVE, Research URL: CVE-2024-31248
Home page URL: Security reports for All-in-One Video Gallery
Application: All-in-One Video Gallery
Date: Jun 09, 2024
Research Description: Missing Authorization vulnerability in Team Plugins360 All-in-One Video Gallery.This issue affects All-in-One Video Gallery: from n/a through 3.5.2.
Affected versions: max 3.6.0.
Status: vulnerable

CVE, Research URL: CVE-2024-4033
Home page URL: Security reports for All-in-One Video Gallery
Application: All-in-One Video Gallery
Date: May 02, 2024
Research Description: The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the aiovg_create_attachment_from_external_image_url function in all versions up to, and including, 3.6.4. This makes it possible for authenticated attackers, with contributor access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Affected versions: max 3.6.5.
Status: vulnerable

Jul 26, 2024

CVE, Research URL: CVE-2024-6629
Home page URL: Security reports for All-in-One Video Gallery
Application: All-in-One Video Gallery
Date: Jul 24, 2024
Research Description: The All-in-One Video Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Video shortcode in all versions up to, and including, 3.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.8.3.
Status: vulnerable

Nov 15, 2024

CVE, Research URL: CVE-2022-4974
Home page URL: Security reports for All-in-One Video Gallery
Application: All-in-One Video Gallery
Date: Oct 16, 2024
Research Description: The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
Affected versions: max 2.5.4.
Status: vulnerable

Dec 10, 2025

CVE, Research URL: CVE-2025-12966
Home page URL: Security reports for All-in-One Video Gallery
Application: All-in-One Video Gallery
Date: Dec 06, 2025
Research Description: The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the resolve_import_directory() function in versions 4.5.4 to 4.5.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Affected versions: max 4.6.4.
Status: vulnerable