Skip to main content

All-in-One Video Gallery CVE-2026-12123

| EUVDEUVD-2026-42828 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-10 Wordfence GHSA-5mf7-m64r-fr3h
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.4 MEDIUM

Subscriber-level setup step (PR:L) with unauthenticated SSRF trigger and scope change to internal network services (S:C) warrants network vector, changed scope, and low C/I impacts.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 10, 2026 - 06:51 vuln.today
CVE Published
Jul 10, 2026 - 05:34 cve.org
MEDIUM 6.4

DescriptionCVE.org

The All-in-One Video Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.8.5 via the 'vdl' parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. A Subscriber-level attacker can plant an internal or loopback URL in the mp4 post meta of a newly created aiovg_videos post via XML-RPC wp.newPost, then trigger the unauthenticated ?vdl=<post_id> endpoint to force the server to fetch that URL and stream the full response body back to the requester.

AnalysisAI

Server-Side Request Forgery in the All-in-One Video Gallery WordPress plugin (all versions through 4.8.5) enables a two-stage attack where a subscriber-level authenticated user plants an internal or loopback URL into a video post's mp4 meta field via the XML-RPC wp.newPost method, then any unauthenticated party can trigger the ?vdl=<post_id> endpoint to force the server to fetch that URL and stream the full response body - enabling reconnaissance of internal services including cloud metadata endpoints. The CVSS scope change (S:C) captures the critical decoupling: subscriber-level credentials are needed only for setup, while the actual SSRF trigger requires no authentication at all. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Self-register as WordPress subscriber
Delivery
Call XML-RPC wp.newPost with internal URL in mp4 post meta
Exploit
Record returned post_id
Execution
Send unauthenticated GET ?vdl=<post_id> request
Persist
Server fetches planted internal URL
Impact
Stream full response body to attacker

Vulnerability AssessmentAI

Exploitation Two sequential conditions must be met. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 6.4 (Medium) reflects network accessibility, low complexity, subscriber-level privilege, scope change, and limited C/I impacts - consistent with SSRF to internal services rather than direct code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An external attacker self-registers as a WordPress subscriber on a target site running All-in-One Video Gallery 4.8.5 with open user registration enabled, then submits an XML-RPC wp.newPost call creating an aiovg_videos post with the mp4 meta field set to http://169.254.169.254/latest/meta-data/iam/security-credentials/ (AWS IMDSv1 credential endpoint). The attacker then sends an unauthenticated GET request to /?vdl=<post_id> from any IP and receives the streaming response body containing cloud IAM role credentials, enabling full AWS account access. …
Remediation An upstream code fix has been committed to the WordPress plugin repository (changeset https://plugins.trac.wordpress.org/changeset/3582575); however, the specific patched release version number is not confirmed from available data - monitor the plugin's update channel in the WordPress dashboard and apply any version released after 4.8.5 as soon as it appears. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12123 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy