CVE-2025-12957
📋 TL;DR
This vulnerability allows authenticated attackers with author-level WordPress access to upload malicious files disguised as VTT subtitle files, bypassing security checks. Successful exploitation could lead to remote code execution on affected WordPress sites. All WordPress sites using All-in-One Video Gallery plugin versions up to 4.5.7 are vulnerable.
💻 Affected Systems
- All-in-One Video Gallery WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise leading to data theft, defacement, malware distribution, or ransomware deployment
Likely Case
Website defacement, backdoor installation, or credential theft from the compromised WordPress instance
If Mitigated
Limited to file uploads in restricted directories if proper file permissions and web application firewalls are configured
🎯 Exploit Status
Exploitation requires author-level WordPress credentials; double extension technique is well-documented
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.5.8
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3405593/all-in-one-video-gallery
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find All-in-One Video Gallery
4. Click 'Update Now' if available
5. If manual update needed, download version 4.5.8+ from WordPress.org
6. Deactivate old plugin, upload new version, activate
🔧 Temporary Workarounds
Restrict Author Permissions
allTemporarily downgrade or remove author-level users until patching
Web Application Firewall Rule
linuxBlock file uploads with double extensions to /wp-content/uploads/ directory
ModSecurity: SecRule FILES "@rx \\.(php|asp|aspx|jsp|pl)\\.vtt$" "deny,status:403,id:1001"
🧯 If You Can't Patch
- Immediately remove author-level access from all untrusted users
- Implement file integrity monitoring on wp-content/uploads directory
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → All-in-One Video Gallery version numberCheck Version:
wp plugin list --name='all-in-one-video-gallery' --field=versionVerify Fix Applied:
Confirm plugin version is 4.5.8 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Multiple failed VTT file upload attempts
- Successful upload of files with double extensions like .php.vtt
- Unusual file creation in wp-content/uploads
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with file upload parameters
- Unusual outbound connections from web server post-upload
SIEM Query:
source="wordpress.log" AND ("action=upload_vtt" OR ".vtt" AND "Content-Type: application/")