Skip to main content

All In One Video Gallery

5 CVEs product

Monthly

CVE-2026-12123 MEDIUM This Month

Server-Side Request Forgery in the All-in-One Video Gallery WordPress plugin (all versions through 4.8.5) enables a two-stage attack where a subscriber-level authenticated user plants an internal or loopback URL into a video post's mp4 meta field via the XML-RPC wp.newPost method, then any unauthenticated party can trigger the ?vdl=<post_id> endpoint to force the server to fetch that URL and stream the full response body - enabling reconnaissance of internal services including cloud metadata endpoints. The CVSS scope change (S:C) captures the critical decoupling: subscriber-level credentials are needed only for setup, while the actual SSRF trigger requires no authentication at all. No public exploit identified at time of analysis, though the Wordfence advisory documents the complete attack chain with specific code line references.

WordPress SSRF All In One Video Gallery
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2024-6629 MEDIUM PATCH This Month

The All-in-One Video Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Video shortcode in all versions up to, and including, 3.7.1 due to insufficient input. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS All In One Video Gallery
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-31248 HIGH This Week

Missing Authorization vulnerability in Team Plugins360 All-in-One Video Gallery.5.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass All In One Video Gallery
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2022-2633 HIGH POC PATCH THREAT This Week

The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file downloads and blind server-side request forgery via the 'dl' parameter found in the ~/public/video.php file in. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SSRF WordPress PHP All In One Video Gallery
NVD
CVSS 3.1
8.2
EPSS
25.9%
CVE-2021-24970 HIGH POC This Week

The All-in-One Video Gallery WordPress plugin before 2.5.0 does not sanitise and validate the tab parameter before using it in a require statement in the admin dashboard, leading to a Local File. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Path Traversal All In One Video Gallery
NVD WPScan
CVSS 3.1
7.2
EPSS
5.9%
EPSS 0% CVSS 6.4
MEDIUM This Month

Server-Side Request Forgery in the All-in-One Video Gallery WordPress plugin (all versions through 4.8.5) enables a two-stage attack where a subscriber-level authenticated user plants an internal or loopback URL into a video post's mp4 meta field via the XML-RPC wp.newPost method, then any unauthenticated party can trigger the ?vdl=<post_id> endpoint to force the server to fetch that URL and stream the full response body - enabling reconnaissance of internal services including cloud metadata endpoints. The CVSS scope change (S:C) captures the critical decoupling: subscriber-level credentials are needed only for setup, while the actual SSRF trigger requires no authentication at all. No public exploit identified at time of analysis, though the Wordfence advisory documents the complete attack chain with specific code line references.

WordPress SSRF All In One Video Gallery
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

The All-in-One Video Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Video shortcode in all versions up to, and including, 3.7.1 due to insufficient input. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS All In One Video Gallery
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Missing Authorization vulnerability in Team Plugins360 All-in-One Video Gallery.5.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass All In One Video Gallery
NVD
EPSS 26% CVSS 8.2
HIGH POC PATCH THREAT This Week

The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file downloads and blind server-side request forgery via the 'dl' parameter found in the ~/public/video.php file in. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SSRF WordPress PHP +1
NVD
EPSS 6% CVSS 7.2
HIGH POC This Week

The All-in-One Video Gallery WordPress plugin before 2.5.0 does not sanitise and validate the tab parameter before using it in a require statement in the admin dashboard, leading to a Local File. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Path Traversal All In One Video Gallery
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy