cleantalk
Vulnerabilities and Security Researches

All-in-One Video Gallery, CVE-2025-12966

CVE, Research URL

CVE-2025-12966

Home page URL

Security reports for All-in-One Video Gallery

Application

All-in-One Video Gallery

Published on
Dec 06, 2025
Research Description
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the resolve_import_directory() function in versions 4.5.4 to 4.5.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Affected versions
max 4.6.4.
Status
vulnerable
Previous vulnerability researches
Advanced Flamingo (CVE-2023-52226) , Jun 07, 2024
New vulnerability
130+ Widgets | Best Addons For Elementor – FREE (CVE-2025-63044) , Dec 11, 2025
CSS3 Buttons (CVE-2025-13907) , Dec 11, 2025
Booster for WooCommerce (CVE-2025-64380) , Dec 11, 2025
Booster for WooCommerce (CVE-2025-64379) , Dec 11, 2025
Custom Sidebars by ProteusThemes (CVE-2025-62733) , Dec 11, 2025