WordPress Plugin Vulnerabilities

All-in-One Video Gallery < 4.7.1 - Missing Authorization to Unauthenticated Bunny Stream Video Creation/Deletion

Description

The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video` functions in all versions up to, and including, 4.6.4. This makes it possible for unauthenticated attackers to create and delete videos on the Bunny Stream CDN associated with the victim's account, provided they can obtain a valid nonce which is exposed in public player templates.

Affects Plugins

Plugin icon
all-in-one-video-gallery
Fixed in 4.7.1

References

CVE
CVE-2025-14947
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/bedfb712-faf6-4131-b254-e6d7c367f49f

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
andrea bocchetti
Verified
No
WPVDB ID
28c23005-cf0c-4848-b191-07d3480383e8

Timeline

Publicly Published
2026-01-22 (about 4 months ago)
Added
2026-01-23 (about 4 months ago)
Last Updated
2026-01-23 (about 4 months ago)

Other

Published
Title
Published
2025-11-18
Title
Essential Addons for Elementor < 6.5.6 - Unauthenticated Missing Authorization
Published
2025-11-20
Title
Better Chat Support for Messenger < 1.2.19 - Missing Authorization
Published
2023-02-16
Title
Protected Posts Logout Button < 1.4.6 - Missing Authorization
Published
2025-10-05
Title
Nelio Content < 4.0.6 - Missing Authorization
Published
2025-05-29
Title
Woo Slider Pro - Drag Drop Slider Builder For WooCommerce <= 1.12 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion