CVE-2025-14947 in All-in-One Video Gallery Plugin
Summary
by MITRE • 01/23/2026
The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video` functions in all versions up to, and including, 4.6.4. This makes it possible for unauthenticated attackers to create and delete videos on the Bunny Stream CDN associated with the victim's account, provided they can obtain a valid nonce which is exposed in public player templates.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/25/2026
The vulnerability identified as CVE-2025-14947 affects the All-in-One Video Gallery plugin for WordPress, specifically targeting versions up to and including 4.6.4. This represents a critical authorization flaw that undermines the security posture of WordPress installations relying on this plugin for video management. The vulnerability stems from insufficient capability validation within three distinct AJAX callback functions that handle Bunny Stream CDN operations, creating a pathway for unauthorized data manipulation that directly impacts the integrity and confidentiality of multimedia content stored in cloud-based video services.
The technical flaw manifests through three exposed AJAX endpoints: `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video`. These functions lack proper capability checks that should verify user authentication and authorization before executing operations on the Bunny Stream CDN. The vulnerability is exacerbated by the exposure of valid nonces within public player templates, which allows unauthenticated attackers to craft malicious requests that appear legitimate to the WordPress AJAX system. This nonce exposure creates a direct attack vector where attackers can leverage publicly accessible template files to obtain valid session tokens without requiring legitimate user credentials or authentication.
The operational impact of this vulnerability extends beyond simple data modification to encompass potential data loss, unauthorized content manipulation, and compromise of cloud storage resources. Attackers can create unauthorized video streams on the victim's Bunny Stream account, potentially leading to storage consumption abuse, billing implications, and unauthorized content distribution. The ability to delete videos creates additional risk of data destruction and content tampering, while the exposure of the nonce mechanism undermines the security model of the plugin's AJAX infrastructure. This vulnerability particularly affects WordPress sites that rely on Bunny Stream CDN integration for video hosting, creating a significant risk for content creators, businesses, and organizations that store valuable multimedia assets in cloud-based storage solutions.
Security mitigations for this vulnerability should focus on immediate plugin updates to versions that implement proper capability checks and nonce validation. Organizations should also review and restrict access to public player templates to prevent nonce exposure, while implementing additional security layers such as rate limiting for AJAX endpoints and monitoring for unusual video creation or deletion patterns. The vulnerability aligns with CWE-863, representing an "Incorrect Authorization" issue where the system fails to properly verify user permissions before executing privileged operations. From an ATT&CK framework perspective, this vulnerability maps to T1078.004 (Valid Accounts: Cloud Accounts) and T1496 (Resource Hijacking) as it enables attackers to leverage legitimate cloud service accounts for unauthorized operations while potentially consuming resources without proper authorization. Network-level monitoring should be implemented to detect anomalous AJAX requests targeting the affected endpoints, and regular security audits should verify that all AJAX handlers implement proper capability validation to prevent similar authorization bypasses in other plugin components.