cleantalk
Vulnerabilities and Security Researches

All-in-One Video Gallery, CVE-2025-14947

CVE, Research URL

CVE-2025-14947

Home page URL

Security reports for All-in-One Video Gallery

Application

All-in-One Video Gallery

Published on
Jan 23, 2026
Research Description
The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video` functions in all versions up to, and including, 4.6.4. This makes it possible for unauthenticated attackers to create and delete videos on the Bunny Stream CDN associated with the victim's account, provided they can obtain a valid nonce which is exposed in public player templates.
Affected versions
max 4.7.1.
Status
vulnerable
Previous vulnerability researches
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2025-24573) , Jan 26, 2025
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2025-1926) , Mar 10, 2025
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2024-13427) , May 25, 2025
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2025-4223) , May 25, 2025
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2025-2104) , Mar 14, 2025
New vulnerability
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login (CVE-2025-15403) , Jan 28, 2026
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login (CVE-2026-24374) , Jan 28, 2026
Header and Footer Scripts (CVE-2025-11453) , Jan 28, 2026
WordPress CRM Plugin – WP-CRM System (CVE-2025-14854) , Jan 28, 2026
WordPress CRM Plugin – WP-CRM System (CVE-2025-62106) , Jan 28, 2026