Vulnerabilities

CVE-2025-14947 - All-in-One Video Gallery <= 4.6.4 - missing authorization to unauthenticated bun...

2026-01-23 0 views admin

CVE ID : CVE-2025-14947 Published : Jan. 23, 2026, 6:16 p.m. | 20 minutes ago Description : The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video` functions in all versions up to, and including, 4.6.4. This makes it possible for unauthenticated attackers to create and delete videos on the Bunny Stream CDN associated with the victim's account, provided they can obtain a valid nonce which is exposed in public player templates. Severity: 6.5 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE Details

CVE ID

CVE-2025-14947

Severity

MEDIUM

Published

Jan. 23, 2026

Affected Product: WordPress

🏷️ Tags

cvevulnerabilitysecuritycybersecuritycve-2025-14947mediumwordpress

CVE-2025-14947 - All-in-One Video Gallery <= 4.6.4 - missing authorization to unauthenticated bun...

CVE Details

🏷️ Tags

More from Vulnerabilities

CVE-2026-3134 - itsourcecode News Portal Project edit-category.php sql injection

CVE-2026-3133 - itsourcecode Document Management System Login loging.php sql injection

CVE-2025-46320 - FileMaker WebDirect Cross-Site Scripting (XSS)

CVE-2026-21410 - InSAT MasterSCADA BUK-TS SQL Injection

Trending

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

CVE-2025-43939: Dell Unity OS Command Injection (High)

Google disputes false claims of massive Gmail data breach

Microsoft: DNS outage impacts Azure and Microsoft 365 services

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting