CVE-2025-15516 in All-in-One Video Gallery Plugin
Summary
by MITRE • 01/24/2026
The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_callback_store_user_meta() function in versions 4.1.0 to 4.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary string-based user meta keys for their own account.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/25/2026
The CVE-2025-15516 vulnerability resides within the All-in-One Video Gallery plugin for WordPress, a widely used media management solution that has been identified as susceptible to unauthorized data modification through insufficient access controls. This security flaw specifically affects versions ranging from 4.1.0 through 4.6.4, creating a persistent risk for WordPress installations that have not yet upgraded to patched releases. The vulnerability manifests through the ajax_callback_store_user_meta() function, which lacks proper capability validation, allowing malicious actors with minimal privileges to exploit this weakness. The affected plugin's architecture fails to implement adequate authorization checks before permitting user meta data modifications, thereby undermining the fundamental security principles of least privilege and access control.
The technical exploitation of this vulnerability occurs through the plugin's AJAX callback mechanism, which is designed to handle user interactions without requiring full page reloads. When an authenticated user with Subscriber-level privileges or higher accesses the vulnerable plugin functionality, they can leverage the missing capability check to manipulate their own user meta data. This flaw enables attackers to modify arbitrary string-based user meta keys, potentially allowing them to alter personal information, preferences, or other metadata associated with their accounts. The vulnerability is particularly concerning because it operates within the legitimate plugin functionality, making it difficult to detect through standard security monitoring approaches. The absence of proper capability validation creates a pathway for privilege escalation within the user context, where attackers can manipulate their own account metadata to potentially gain further access or disrupt normal operations.
The operational impact of this vulnerability extends beyond simple data modification, as it creates potential vectors for more sophisticated attacks within the WordPress environment. An attacker could use this vulnerability to manipulate user profile information, potentially to bypass security measures or to establish persistent access patterns. The vulnerability also contributes to broader security concerns within WordPress ecosystems where multiple plugins may share similar architectural flaws, potentially creating cascading effects across interconnected systems. From a compliance perspective, this vulnerability could result in violations of data integrity requirements and may impact organizations that must maintain strict audit trails for user account modifications. The vulnerability's classification aligns with CWE-284, which addresses improper access control, and can be mapped to ATT&CK technique T1078.004 related to valid accounts, as it allows attackers to exploit existing user permissions to modify their own account data.
Mitigation strategies for CVE-2025-15516 should prioritize immediate plugin upgrades to versions that address the missing capability check in the ajax_callback_store_user_meta() function. System administrators should also implement additional security measures including monitoring for unusual user meta data modifications, implementing role-based access controls, and conducting regular security audits of WordPress plugins. Organizations should consider implementing web application firewalls that can detect and block suspicious AJAX requests targeting the vulnerable plugin endpoints. The vulnerability highlights the importance of proper input validation and capability checks in web applications, particularly those handling user data modifications. Security teams should also review other plugin functions for similar access control weaknesses and consider implementing automated scanning tools that can identify such vulnerabilities in third-party WordPress components. Regular security assessments and vulnerability management processes should include comprehensive checks for capability validation flaws in all WordPress plugin functionalities to prevent similar issues from emerging in the future.