CVE-2026-12123 in All-in-One Video Gallery Plugininfo

Summary

by MITRE • 07/10/2026

The All-in-One Video Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.8.5 via the 'vdl' parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. A Subscriber-level attacker can plant an internal or loopback URL in the `mp4` post meta of a newly created `aiovg_videos` post via XML-RPC `wp.newPost`, then trigger the unauthenticated `?vdl=<post_id>` endpoint to force the server to fetch that URL and stream the full response body back to the requester.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The All-in-One Video Gallery plugin for WordPress presents a critical Server-Side Request Forgery vulnerability that affects all versions up to and including 4.8.5. This vulnerability stems from improper input validation within the 'vdl' parameter processing mechanism, creating a dangerous attack vector that allows authenticated users with subscriber-level privileges or higher to manipulate the application's network requests. The flaw operates by leveraging the plugin's legitimate functionality for video download handling while bypassing normal security restrictions through crafted malicious inputs.

The technical implementation of this vulnerability exploits the XML-RPC API endpoint wp.newPost which permits subscribers to create new aiovg_videos posts with custom mp4 post meta values. Attackers can inject internal or loopback URLs into the mp4 metadata field during post creation, effectively planting malicious request targets within the plugin's data structure. When an authenticated user accesses the unauthenticated ?vdl= endpoint with the crafted URL parameter, the server executes a GET request to the specified internal address using its own network credentials and connection context. This server-side behavior enables attackers to perform reconnaissance of internal systems, access sensitive information from back-end services, and potentially manipulate data within the internal network infrastructure.

The operational impact of this vulnerability extends beyond simple information disclosure, as it can be leveraged for comprehensive internal network enumeration and lateral movement within compromised environments. Attackers can use this capability to discover internal services running on different ports, identify vulnerable internal systems, and potentially exploit other weaknesses within the organization's network perimeter. The vulnerability particularly affects organizations using WordPress installations with multiple user roles where subscribers or lower-privileged users have access to XML-RPC functionality. This creates a significant risk for businesses that do not properly restrict XML-RPC access or implement additional network segmentation measures.

Mitigation strategies should focus on immediate patching of the plugin to version 4.8.6 or later, which addresses the core input validation issues within the vdl parameter handling. Organizations must also implement strict restrictions on XML-RPC access by disabling wp.newPost and other potentially dangerous methods for users without administrative privileges. Network-level controls including firewall rules that block outbound requests to internal IP ranges from web servers can provide additional protection against this type of attack. The vulnerability aligns with CWE-918 Server-Side Request Forgery and maps to ATT&CK technique T1071.004 Application Layer Protocol: Web Protocols, demonstrating how seemingly legitimate plugin functionality can be weaponized for network reconnaissance and information gathering operations. Security monitoring should include detection of unusual patterns in XML-RPC requests and unexpected outbound connections from web servers to internal networks.

This vulnerability represents a classic case of insufficient input validation combined with dangerous server-side request capabilities, creating an attack surface that can be exploited by relatively low-privileged users within WordPress environments. The impact is particularly concerning because it allows attackers to bypass traditional network security controls by leveraging the application server's own network permissions and credentials. Organizations should consider implementing automated patch management processes specifically for WordPress plugins to prevent such vulnerabilities from remaining unaddressed in production environments. Regular security audits of WordPress installations, including review of plugin capabilities and user permission settings, can help identify and remediate similar issues before they can be exploited by malicious actors.

Responsible

Wordfence

Reservation

06/12/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!