CVE-2025-12957 Overview
The All-in-One Video Gallery plugin for WordPress contains an arbitrary file upload vulnerability affecting all versions up to and including 4.5.7. The vulnerability stems from insufficient file type validation when detecting VTT (Web Video Text Tracks) files, which allows attackers to bypass sanitization using double extension files while the application still accepts them as valid VTT files. This flaw enables authenticated attackers with author-level access or above to upload arbitrary files to the affected server, potentially leading to remote code execution.
Critical Impact
Authenticated attackers can leverage this arbitrary file upload vulnerability to achieve remote code execution on WordPress sites running vulnerable versions of the All-in-One Video Gallery plugin.
Affected Products
- All-in-One Video Gallery plugin for WordPress versions up to and including 4.5.7
Discovery Timeline
- 2026-01-16 - CVE CVE-2025-12957 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2025-12957
Vulnerability Analysis
This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The core issue lies in how the plugin validates uploaded files intended to be VTT subtitle files. The validation mechanism fails to properly handle files with double extensions, such as malicious.php.vtt, allowing an attacker to craft a file that passes the VTT validation check while actually containing executable code.
When a user with author-level privileges or higher attempts to upload a subtitle file, the plugin's validation routine examines the file extension. However, the validation logic is flawed and can be circumvented by appending a .vtt extension to a malicious file (e.g., a PHP web shell). This allows the malicious file to be accepted and stored on the server, where it may subsequently be executed depending on server configuration.
Root Cause
The root cause is insufficient file type validation in the plugin's upload handling functionality. The validation mechanism checks for VTT file extensions but does not properly sanitize or reject files with double extensions. Additionally, the plugin may not adequately verify the actual content type of uploaded files, relying solely on extension-based validation which is inherently insecure.
Attack Vector
The attack requires network access and authentication with at least author-level privileges on the WordPress site. An attacker would craft a malicious file with a double extension (e.g., shell.php.vtt) containing executable code such as a PHP web shell. Upon uploading this file through the plugin's VTT upload functionality, the insufficient validation allows the file to be stored on the server. The attacker can then potentially access the uploaded file directly to execute arbitrary code, depending on the server's configuration and how WordPress handles the uploaded content.
The vulnerability mechanism involves:
- An authenticated attacker prepares a malicious payload file with a double extension that ends in .vtt
- The plugin's file validation checks for VTT extension and incorrectly accepts the file
- The malicious file is uploaded and stored on the server
- The attacker accesses the uploaded file path to trigger code execution
For detailed technical information, see the Wordfence Vulnerability Report.
Detection Methods for CVE-2025-12957
Indicators of Compromise
- Presence of files with suspicious double extensions (e.g., .php.vtt, .phtml.vtt) in WordPress upload directories
- Unusual file uploads from author or contributor accounts, particularly in the video gallery plugin directories
- Web server logs showing direct access requests to recently uploaded VTT files with abnormal response sizes or execution times
- New or modified PHP files in unexpected locations within the WordPress installation
Detection Strategies
- Implement file integrity monitoring to detect unexpected files in WordPress upload directories
- Monitor web application firewall (WAF) logs for attempts to upload files with double extensions
- Review WordPress user activity logs for suspicious upload patterns from lower-privileged accounts
- Scan for web shells and backdoors in directories used by the All-in-One Video Gallery plugin
Monitoring Recommendations
- Configure alerting for file uploads with multiple extensions in the WordPress media library
- Enable detailed logging for the All-in-One Video Gallery plugin's upload functionality
- Implement real-time monitoring of PHP file creation in upload directories
- Regularly audit author and contributor account activities for anomalous behavior
How to Mitigate CVE-2025-12957
Immediate Actions Required
- Update the All-in-One Video Gallery plugin to the latest patched version immediately
- Audit existing uploaded files in the plugin's directories for suspicious double-extension files
- Review WordPress user accounts and remove or demote unnecessary author-level privileges
- Implement additional server-side restrictions to prevent execution of uploaded files
Patch Information
The vendor has released a patch addressing this vulnerability. The fix can be reviewed in the WordPress Plugin Change Log. Site administrators should update to the latest version of the All-in-One Video Gallery plugin through the WordPress dashboard or by downloading the updated plugin directly from the WordPress plugin repository.
Workarounds
- Temporarily disable the All-in-One Video Gallery plugin until the patch can be applied
- Restrict author-level access to only trusted users who require the capability
- Configure the web server to deny execution of PHP files in upload directories
- Implement strict file upload validation at the web server or WAF level to block double-extension files
# Apache configuration to prevent PHP execution in uploads directory
<Directory "/var/www/html/wp-content/uploads">
<FilesMatch "\.php$">
Require all denied
</FilesMatch>
php_flag engine off
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
