CVE-2025-14947 – The All-in-One Video Gallery WordPress plugin h... (How to Fix)

Q: What is the severity of CVE-2025-14947?

CVE-2025-14947 has a CVSS score of 6.5 (MEDIUM). The All-in-One Video Gallery WordPress plugin has missing capability checks on AJAX functions, allowing unauthenticated attackers to create and delete videos on the Bunny Stream CDN associated with the victim's account. Attackers need to obtain a valid nonce exposed in public player templates. All WordPress sites using this plugin up to version 4.6.4 are affected.

📋 TL;DR

The All-in-One Video Gallery WordPress plugin has missing capability checks on AJAX functions, allowing unauthenticated attackers to create and delete videos on the Bunny Stream CDN associated with the victim's account. Attackers need to obtain a valid nonce exposed in public player templates. All WordPress sites using this plugin up to version 4.6.4 are affected.

💻 Affected Systems

Products:

All-in-One Video Gallery WordPress plugin

Versions: All versions up to and including 4.6.4

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the plugin activated. The nonce exposure in public templates makes exploitation easier.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could delete all videos from the Bunny Stream CDN account, causing permanent data loss and service disruption, or create malicious videos that could be used for phishing or malware distribution.

🟠

Likely Case

Attackers with basic web skills could delete or create videos, causing content manipulation, service disruption, and potential reputational damage.

🟢

If Mitigated

With proper access controls and nonce protection, impact would be limited to authenticated users only, preventing unauthorized video manipulation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires obtaining a valid nonce from public player templates, which is relatively straightforward for attackers with basic web skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.6.5 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3441541/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'All-in-One Video Gallery'. 4. Click 'Update Now' if available. 5. Alternatively, download version 4.6.5+ from WordPress.org and manually update.

🔧 Temporary Workarounds

Disable vulnerable AJAX endpoints

all

Temporarily disable the vulnerable AJAX callback functions by modifying plugin code or using WordPress hooks

Add to theme's functions.php or custom plugin: remove_action('wp_ajax_aiovg_create_bunny_stream_video', 'ajax_callback_create_bunny_stream_video'); remove_action('wp_ajax_nopriv_aiovg_create_bunny_stream_video', 'ajax_callback_create_bunny_stream_video'); remove_action('wp_ajax_aiovg_get_bunny_stream_video', 'ajax_callback_get_bunny_stream_video'); remove_action('wp_ajax_nopriv_aiovg_get_bunny_stream_video', 'ajax_callback_get_bunny_stream_video'); remove_action('wp_ajax_aiovg_delete_bunny_stream_video', 'ajax_callback_delete_bunny_stream_video'); remove_action('wp_ajax_nopriv_aiovg_delete_bunny_stream_video', 'ajax_callback_delete_bunny_stream_video');

🧯 If You Can't Patch

Deactivate the All-in-One Video Gallery plugin immediately
Implement web application firewall (WAF) rules to block requests to the vulnerable AJAX endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > All-in-One Video Gallery. If version is 4.6.4 or lower, you are vulnerable.

Check Version:

wp plugin list --name='all-in-one-video-gallery' --field=version (WP-CLI) or check WordPress admin panel

Verify Fix Applied:

After updating, verify plugin version shows 4.6.5 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /wp-admin/admin-ajax.php with action parameters: aiovg_create_bunny_stream_video, aiovg_get_bunny_stream_video, aiovg_delete_bunny_stream_video
Multiple failed authentication attempts followed by successful AJAX requests to video endpoints

Network Indicators:

Unusual traffic patterns to Bunny Stream API endpoints from unexpected sources
Spikes in outbound traffic to Bunny Stream CDN

SIEM Query:

source="web_server" AND (url_path="/wp-admin/admin-ajax.php" AND (post_data LIKE "%aiovg_create_bunny_stream_video%" OR post_data LIKE "%aiovg_delete_bunny_stream_video%" OR post_data LIKE "%aiovg_get_bunny_stream_video%"))

📊 Metadata

CVE ID: CVE-2025-14947

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CWE: CWE-862

EPSS Score: 0.03% exploit probability (7.4th percentile)

Published: January 23, 2026

Last Updated: January 26, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14947, you might also want to check these: