CVE-2025-14947 Overview
The All-in-One Video Gallery plugin for WordPress contains a missing authorization vulnerability (CWE-862) that enables unauthorized data modification through exposed AJAX endpoints. The vulnerability exists in the ajax_callback_create_bunny_stream_video, ajax_callback_get_bunny_stream_video, and ajax_callback_delete_bunny_stream_video functions, which lack proper capability checks in all versions up to and including 4.6.4.
This flaw allows unauthenticated attackers to create and delete videos on the Bunny Stream CDN associated with the victim's account. The attack becomes feasible when attackers obtain a valid nonce, which is inadvertently exposed in public player templates.
Critical Impact
Unauthenticated attackers can manipulate video content on Bunny Stream CDN accounts, potentially leading to data loss, service disruption, or unauthorized content injection on WordPress sites using this plugin.
Affected Products
- All-in-One Video Gallery plugin for WordPress versions up to and including 4.6.4
- WordPress installations with Bunny Stream CDN integration enabled
- Sites exposing public player templates containing nonce values
Discovery Timeline
- 2026-01-23 - CVE CVE-2025-14947 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2025-14947
Vulnerability Analysis
This vulnerability represents a classic broken access control flaw where sensitive AJAX callback functions fail to verify user capabilities before executing privileged operations. The affected functions handle critical Bunny Stream CDN operations including video creation, retrieval, and deletion.
The root issue stems from the plugin relying solely on WordPress nonce verification without implementing proper user capability checks. While nonces are designed to prevent CSRF attacks, they do not provide authorization—they merely confirm the request originated from a legitimate page load. When these nonces are exposed in public-facing player templates, the security model collapses entirely.
An attacker who obtains a valid nonce from a public page can invoke these AJAX endpoints without any authentication, gaining the ability to manipulate video content on the connected Bunny Stream CDN account. This could result in unauthorized content deletion, resource exhaustion through mass video creation, or injection of malicious content.
Root Cause
The vulnerability originates from missing capability checks in three AJAX callback functions within the plugin's Bunny Stream integration module. The functions ajax_callback_create_bunny_stream_video, ajax_callback_get_bunny_stream_video, and ajax_callback_delete_bunny_stream_video process requests without verifying that the requesting user has appropriate WordPress capabilities (such as edit_posts or manage_options).
Additionally, the plugin exposes nonce values in publicly accessible player templates, which undermines the intended protection that nonce verification provides. The affected code can be reviewed in the plugin source files at init.php and bunny-stream.php.
Attack Vector
The attack leverages the network-accessible AJAX endpoints exposed by the WordPress plugin. An attacker can exploit this vulnerability through the following method:
- Browse to a WordPress site using the vulnerable All-in-One Video Gallery plugin
- Inspect the public player template HTML source code to extract the exposed nonce value
- Craft malicious AJAX requests targeting the wp_ajax_nopriv_* action hooks
- Submit unauthorized requests to create or delete videos on the victim's Bunny Stream CDN account
The attack requires no authentication and can be performed remotely across the network. The only prerequisite is access to a page containing the exposed nonce, which is publicly available in player templates. Technical details of the vulnerable endpoints can be found in the Wordfence vulnerability report.
Detection Methods for CVE-2025-14947
Indicators of Compromise
- Unexpected AJAX requests to admin-ajax.php targeting Bunny Stream callback actions from unauthenticated sessions
- Anomalous video creation or deletion patterns on the connected Bunny Stream CDN account
- Web server logs showing repeated requests to AJAX endpoints with valid nonces from unknown IP addresses
- Unauthorized content appearing in or disappearing from Bunny Stream video libraries
Detection Strategies
- Monitor WordPress AJAX request logs for ajax_callback_create_bunny_stream_video and ajax_callback_delete_bunny_stream_video actions from unauthenticated users
- Implement Web Application Firewall (WAF) rules to detect and block suspicious patterns targeting these specific AJAX endpoints
- Configure alerts for bulk video operations on Bunny Stream CDN that don't correlate with legitimate administrative activity
- Review access logs for requests containing Bunny Stream nonce parameters from non-authenticated sessions
Monitoring Recommendations
- Enable detailed WordPress debug logging to capture AJAX request metadata and source IP addresses
- Set up Bunny Stream CDN API monitoring to track video creation and deletion events
- Implement rate limiting on AJAX endpoints to detect and prevent automated exploitation attempts
- Configure SentinelOne Singularity to monitor for suspicious web application activity patterns on WordPress installations
How to Mitigate CVE-2025-14947
Immediate Actions Required
- Update the All-in-One Video Gallery plugin to a version newer than 4.6.4 immediately
- Review Bunny Stream CDN account for any unauthorized videos or unexpected content deletions
- Temporarily disable the Bunny Stream integration feature if an immediate update is not possible
- Audit web server logs for signs of previous exploitation attempts
Patch Information
The vulnerability has been addressed in a plugin update. The fix implements proper WordPress capability checks on the affected AJAX callback functions before processing requests. Site administrators should update to the latest available version of the All-in-One Video Gallery plugin.
The security patch details can be reviewed in the WordPress plugin changeset 3441541. This update adds the necessary current_user_can() checks to ensure only authorized users can invoke the Bunny Stream CDN management functions.
Workarounds
- Disable the Bunny Stream CDN integration feature within the plugin settings until the patch is applied
- Implement server-level access controls to restrict admin-ajax.php requests to authenticated users only (may affect legitimate functionality)
- Use a WordPress security plugin or WAF to block unauthenticated requests to the affected AJAX actions
- Remove or restrict access to public player templates that expose nonce values
# Example: Block unauthenticated AJAX requests to vulnerable endpoints via .htaccess
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-admin/admin-ajax\.php$ [NC]
RewriteCond %{QUERY_STRING} action=(ajax_callback_create_bunny_stream_video|ajax_callback_delete_bunny_stream_video) [NC]
RewriteCond %{HTTP_COOKIE} !wordpress_logged_in [NC]
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
