CVE-2025-12966

High

Published: 06 December 2025

Published

06 December 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0019 39.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the resolve_import_directory() function in versions 4.5.4 to 4.5.7. This makes it possible for authenticated attackers, with Author-level access and above,…

to upload arbitrary files on the affected site's server which may make remote code execution possible.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation ensures timely patching of the specific arbitrary file upload vulnerability in the WordPress plugin versions 4.5.4 to 4.5.7.

SI-10 Information Input Validation good match

prevent

Information input validation enforces file type checks missing in the resolve_import_directory() function, directly preventing arbitrary file uploads.

AC-6 Least Privilege partial match

prevent

Least privilege restricts Author-level and higher access to the vulnerable upload functionality, reducing the attack surface for authenticated exploitation.

Security SummaryAI

CVE-2025-12966 is an arbitrary file upload vulnerability in the All-in-One Video Gallery plugin for WordPress, affecting versions 4.5.4 through 4.5.7. The flaw arises from missing file type validation in the resolve_import_directory() function, allowing attackers to upload files without proper restrictions. Published on 2025-12-06, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-434 (Unrestricted Upload of File with Dangerous Type).

Authenticated attackers with Author-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables uploading arbitrary files to the server's filesystem, which may lead to remote code execution depending on the file type and server configuration.

Advisories point to mitigation via a patch in WordPress plugin trac changeset 3405593, which updates the admin/import-export.php file in the plugin trunk. Further details on the vulnerability and remediation are provided in the Wordfence threat intelligence report.

Details

CWE(s): CWE-434

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Arbitrary file upload in public-facing WordPress plugin enables exploitation of public-facing application (T1190) and facilitates remote code execution via web shell deployment (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://plugins.trac.wordpress.org/changeset/3405593/all-in-one-video-gallery/trunk/admin/import-export.php
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/0b03bca1-84e3-4220-b39b-69044c42e9f9?source=cve
security@wordfence.com