๐Ÿ” CVE Alert

CVE-2026-12123

MEDIUM 6.4

All-in-One Video Gallery <= 4.8.5 - Authenticated (Subscriber+) Server-Side Request Forgery via 'vdl' Parameter

CVSS Score
6.4
EPSS Score
0.2%
EPSS Percentile
16th

The All-in-One Video Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.8.5 via the 'vdl' parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. A Subscriber-level attacker can plant an internal or loopback URL in the `mp4` post meta of a newly created `aiovg_videos` post via XML-RPC `wp.newPost`, then trigger the unauthenticated `?vdl=<post_id>` endpoint to force the server to fetch that URL and stream the full response body back to the requester.

CWE CWE-918
Vendor plugins360
Product all-in-one video gallery
Published Jul 10, 2026
Last Updated Jul 10, 2026
Stay Ahead of the Next One

Get instant alerts for plugins360 all-in-one video gallery

Be the first to know when new medium vulnerabilities affecting plugins360 all-in-one video gallery are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

plugins360 / All-in-One Video Gallery
0 โ‰ค 4.8.5

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/a3bb454c-ac0e-4915-8c6e-070596f7595a?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/tags/4.8.5/public/video.php#L904 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/tags/4.8.5/public/video.php#L724 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/tags/4.8.5/public/video.php#L758 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/tags/4.8.5/public/video.php#L681 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/tags/4.8.5/includes/roles.php#L70 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/tags/4.7.5/public/video.php#L904 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/tags/4.7.5/public/video.php#L724 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/tags/4.7.5/public/video.php#L758 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/tags/4.7.5/public/video.php#L681 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/tags/4.7.5/includes/roles.php#L70 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3582575

Credits

KoreaInfoSec