Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Subscriber-level setup step (PR:L) with unauthenticated SSRF trigger and scope change to internal network services (S:C) warrants network vector, changed scope, and low C/I impacts.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The All-in-One Video Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.8.5 via the 'vdl' parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. A Subscriber-level attacker can plant an internal or loopback URL in the mp4 post meta of a newly created aiovg_videos post via XML-RPC wp.newPost, then trigger the unauthenticated ?vdl=<post_id> endpoint to force the server to fetch that URL and stream the full response body back to the requester.
AnalysisAI
Server-Side Request Forgery in the All-in-One Video Gallery WordPress plugin (all versions through 4.8.5) enables a two-stage attack where a subscriber-level authenticated user plants an internal or loopback URL into a video post's mp4 meta field via the XML-RPC wp.newPost method, then any unauthenticated party can trigger the ?vdl=<post_id> endpoint to force the server to fetch that URL and stream the full response body - enabling reconnaissance of internal services including cloud metadata endpoints. The CVSS scope change (S:C) captures the critical decoupling: subscriber-level credentials are needed only for setup, while the actual SSRF trigger requires no authentication at all. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Two sequential conditions must be met. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 6.4 (Medium) reflects network accessibility, low complexity, subscriber-level privilege, scope change, and limited C/I impacts - consistent with SSRF to internal services rather than direct code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An external attacker self-registers as a WordPress subscriber on a target site running All-in-One Video Gallery 4.8.5 with open user registration enabled, then submits an XML-RPC wp.newPost call creating an aiovg_videos post with the mp4 meta field set to http://169.254.169.254/latest/meta-data/iam/security-credentials/ (AWS IMDSv1 credential endpoint). The attacker then sends an unauthenticated GET request to /?vdl=<post_id> from any IP and receives the streaming response body containing cloud IAM role credentials, enabling full AWS account access. … |
| Remediation | An upstream code fix has been committed to the WordPress plugin repository (changeset https://plugins.trac.wordpress.org/changeset/3582575); however, the specific patched release version number is not confirmed from available data - monitor the plugin's update channel in the WordPress dashboard and apply any version released after 4.8.5 as soon as it appears. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in All In One Video Gallery
View allThe All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file downloads and blind server-side reques
The All-in-One Video Gallery WordPress plugin before 2.5.0 does not sanitise and validate the tab parameter before using
Missing Authorization vulnerability in Team Plugins360 All-in-One Video Gallery.5.2. Rated high severity (CVSS 8.8), thi
The All-in-One Video Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Video sh
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42828
GHSA-5mf7-m64r-fr3h