Shared security patch analysis results
AI Used: claude_cli haikuComprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.
--- cache/all-in-one-video-gallery_4.5.7/admin/admin.php 2026-01-16 00:19:59.779615425 +0000+++ cache/all-in-one-video-gallery_4.6.4/admin/admin.php 2026-01-16 00:20:23.445101681 +0000@@ -34,7 +34,12 @@ update_option( 'aiovg_version', AIOVG_PLUGIN_VERSION ); // Insert the missing player settings - $player_settings = get_option( 'aiovg_player_settings', array() ); + $player_settings = get_option( 'aiovg_player_settings' ); + + if ( ! is_array( $player_settings ) || empty( $player_settings ) ) { + $player_settings = $defaults['aiovg_player_settings']; + update_option( 'aiovg_player_settings', $player_settings ); + } $new_player_settings = array(); @@ -76,8 +81,18 @@ } // Insert the missing videos settings - $videos_settings = get_option( 'aiovg_videos_settings', array() ); - $image_settings = get_option( 'aiovg_image_settings', array() ); + $videos_settings = get_option( 'aiovg_videos_settings' ); + + if ( ! is_array( $videos_settings ) || empty( $videos_settings ) ) { + $videos_settings = $defaults['aiovg_videos_settings']; + update_option( 'aiovg_videos_settings', $videos_settings ); + } + + $image_settings = get_option( 'aiovg_image_settings' ); + + if ( ! is_array( $image_settings ) || empty( $image_settings ) ) { + $image_settings = array(); + } $new_videos_settings = array(); @@ -99,7 +114,12 @@ } // Insert the missing categories settings - $categories_settings = get_option( 'aiovg_categories_settings', array() ); + $categories_settings = get_option( 'aiovg_categories_settings' ); + + if ( ! is_array( $categories_settings ) || empty( $categories_settings ) ) { + $categories_settings = $defaults['aiovg_categories_settings']; + update_option( 'aiovg_categories_settings', $categories_settings ); + } $new_categories_settings = array(); @@ -128,7 +148,12 @@ } // Insert the missing video settings - $video_settings = get_option( 'aiovg_video_settings', array() ); + $video_settings = get_option( 'aiovg_video_settings' ); + + if ( ! is_array( $video_settings ) || empty( $video_settings ) ) { + $video_settings = $defaults['aiovg_video_settings']; + update_option( 'aiovg_video_settings', $video_settings ); + } $new_video_settings = array(); @@ -146,7 +171,9 @@ } // Insert the images settings - if ( false === get_option( 'aiovg_images_settings' ) ) { + $images_settings = get_option( 'aiovg_images_settings' ); + + if ( ! is_array( $images_settings ) || empty( $images_settings ) ) { $images_settings = array( 'width' => $defaults['aiovg_images_settings']['width'], 'ratio' => $defaults['aiovg_images_settings']['ratio'], @@ -161,30 +188,40 @@ $images_settings['ratio'] = $videos_settings['ratio']; } - add_option( 'aiovg_images_settings', $images_settings ); + update_option( 'aiovg_images_settings', $images_settings ); } // Insert the featured images settings - if ( false === get_option( 'aiovg_featured_images_settings' ) ) { - add_option( 'aiovg_featured_images_settings', array( + $featured_images_settings = get_option( 'aiovg_featured_images_settings' ); + + if ( ! is_array( $featured_images_settings ) || empty( $featured_images_settings ) ) { + $featured_images_settings = array( 'enabled' => $defaults['aiovg_featured_images_settings']['enabled'], 'download_external_images' => $defaults['aiovg_featured_images_settings']['download_external_images'], 'hide_on_single_video_pages' => $defaults['aiovg_featured_images_settings']['hide_on_single_video_pages'] - )); + ); + + update_option( 'aiovg_featured_images_settings', $featured_images_settings ); } // Insert the likes / dislikes settings - if ( false === get_option( 'aiovg_likes_settings' ) ) { - add_option( 'aiovg_likes_settings', array( + $likes_settings = get_option( 'aiovg_likes_settings' ); + + if ( ! is_array( $likes_settings ) || empty( $likes_settings ) ) { + $likes_settings = array( 'like_button' => $defaults['aiovg_likes_settings']['like_button'], 'dislike_button' => $defaults['aiovg_likes_settings']['dislike_button'], 'login_required_to_vote' => $defaults['aiovg_likes_settings']['login_required_to_vote'] - )); + ); + + update_option( 'aiovg_likes_settings', $likes_settings ); } // Insert the related videos settings - if ( false === get_option( 'aiovg_related_videos_settings' ) ) { - add_option( 'aiovg_related_videos_settings', array( + $related_videos_settings = get_option( 'aiovg_related_videos_settings' ); + + if ( ! is_array( $related_videos_settings ) || empty( $related_videos_settings ) ) { + $related_videos_settings = array( 'title' => $defaults['aiovg_related_videos_settings']['title'], 'columns' => isset( $videos_settings['columns'] ) ? $videos_settings['columns'] : $defaults['aiovg_videos_settings']['columns'], 'limit' => isset( $videos_settings['limit'] ) ? $videos_settings['limit'] : $defaults['aiovg_videos_settings']['limit'], @@ -193,23 +230,28 @@ 'display' => array( 'pagination' => 'pagination' ) - ) ); - } else { - $related_videos_settings = get_option( 'aiovg_related_videos_settings', array() ); + ); - $new_related_videos_settings = array(); + update_option( 'aiovg_related_videos_settings', $related_videos_settings ); + } - if ( ! array_key_exists( 'title', $related_videos_settings ) ) { - $new_related_videos_settings['title'] = __( 'You may also like', 'all-in-one-video-gallery' ); - } + $new_related_videos_settings = array(); - if ( count( $new_related_videos_settings ) ) { - update_option( 'aiovg_related_videos_settings', array_merge( $related_videos_settings, $new_related_videos_settings ) ); - } + if ( ! array_key_exists( 'title', $related_videos_settings ) ) { + $new_related_videos_settings['title'] = __( 'You may also like', 'all-in-one-video-gallery' ); + } + + if ( count( $new_related_videos_settings ) ) { + update_option( 'aiovg_related_videos_settings', array_merge( $related_videos_settings, $new_related_videos_settings ) ); } // Insert the missing socialshare settings - $socialshare_settings = get_option( 'aiovg_socialshare_settings', array() ); + $socialshare_settings = get_option( 'aiovg_socialshare_settings' ); + + if ( ! is_array( $socialshare_settings ) || empty( $socialshare_settings ) ) { + $socialshare_settings = $defaults['aiovg_socialshare_settings']; + update_option( 'aiovg_socialshare_settings', $socialshare_settings ); + } $new_socialshare_settings = array(); @@ -226,7 +268,12 @@ } // Insert the missing general settings - $general_settings = get_option( 'aiovg_general_settings', array() ); + $general_settings = get_option( 'aiovg_general_settings' ); + + if ( ! is_array( $general_settings ) || empty( $general_settings ) ) { + $general_settings = $defaults['aiovg_general_settings']; + update_option( 'aiovg_general_settings', $general_settings ); + } $new_general_settings = array(); @@ -251,19 +298,30 @@ } // Insert the api settings - if ( false === get_option( 'aiovg_api_settings' ) ) { - $automations_settings = get_option( 'aiovg_automations_settings', array() ); + $api_settings = get_option( 'aiovg_api_settings' ); + + if ( ! is_array( $api_settings ) || empty( $api_settings ) ) { + $automations_settings = get_option( 'aiovg_automations_settings' ); + + if ( ! is_array( $automations_settings ) || empty( $automations_settings ) ) { + $automations_settings = array(); + } $defaults = array( 'youtube_api_key' => isset( $automations_settings['youtube_api_key'] ) ? $automations_settings['youtube_api_key'] : '', 'vimeo_access_token' => isset( $general_settings['vimeo_access_token'] ) ? $general_settings['vimeo_access_token'] : '' ); - add_option( 'aiovg_api_settings', $defaults ); + update_option( 'aiovg_api_settings', $defaults ); } // Insert the missing page settings - $page_settings = get_option( 'aiovg_page_settings', array() ); + $page_settings = get_option( 'aiovg_page_settings' ); + + if ( ! is_array( $page_settings ) || empty( $page_settings ) ) { + $page_settings = $defaults['aiovg_page_settings']; + update_option( 'aiovg_page_settings', $page_settings ); + } if ( ! array_key_exists( 'tag', $page_settings ) ) { aiovg_insert_missing_pages(); @@ -272,24 +330,29 @@ // Insert / Update the restrictions settings $restrictions_settings = get_option( 'aiovg_restrictions_settings' ); - if ( false === $restrictions_settings ) { - add_option( 'aiovg_restrictions_settings', $defaults['aiovg_restrictions_settings'] ); - } else { - $restrictions_settings = (array) $restrictions_settings; + if ( ! is_array( $restrictions_settings ) || empty( $restrictions_settings ) ) { + $restrictions_settings = $defaults['aiovg_restrictions_settings']; + update_option( 'aiovg_restrictions_settings', $restrictions_settings ); + } - if ( ! array_key_exists( 'show_restricted_label', $restrictions_settings ) ) { - update_option( 'aiovg_restrictions_settings', array_merge( $defaults['aiovg_restrictions_settings'], $restrictions_settings ) ); - } + if ( ! array_key_exists( 'show_restricted_label', $restrictions_settings ) ) { + update_option( 'aiovg_restrictions_settings', array_merge( $defaults['aiovg_restrictions_settings'], $restrictions_settings ) ); } - // Insert the privacy settings - if ( false === get_option( 'aiovg_privacy_settings' ) ) { - add_option( 'aiovg_privacy_settings', $defaults['aiovg_privacy_settings'] ); + // Insert the privacy settings + $privacy_settings = get_option( 'aiovg_privacy_settings' ); + + if ( ! is_array( $privacy_settings ) || empty( $privacy_settings ) ) { + $privacy_settings = $defaults['aiovg_privacy_settings']; + update_option( 'aiovg_privacy_settings', $privacy_settings ); } // Insert the bunny stream settings - if ( false === get_option( 'aiovg_bunny_stream_settings' ) ) { - add_option( 'aiovg_bunny_stream_settings', $defaults['aiovg_bunny_stream_settings'] ); + $bunny_stream_settings = get_option( 'aiovg_bunny_stream_settings' ); + + if ( ! is_array( $bunny_stream_settings ) || empty( $bunny_stream_settings ) ) { + $bunny_stream_settings = $defaults['aiovg_bunny_stream_settings']; + update_option( 'aiovg_bunny_stream_settings', $bunny_stream_settings ); } // Delete the unwanted plugin options @@ -419,7 +482,7 @@ foreach ( $pages as $key => $page ) { $issue_found = 0; - $post_id = $page_settings[ $key ]; + $post_id = isset( $page_settings[ $key ] ) ? $page_settings[ $key ] : 0; $pattern = ''; if ( ! empty( $pages[ $key ]['content'] ) ) { @@ -479,7 +542,7 @@ foreach ( $pages as $key => $page ) { $issue_found = 0; - $post_id = $page_settings[ $key ]; + $post_id = isset( $page_settings[ $key ] ) ? $page_settings[ $key ] : 0; $pattern = ''; if ( ! empty( $pages[ $key ]['content'] ) ) { @@ -869,25 +932,129 @@ } /** - * Sets the extension and mime type for .vtt files. + * Extend MIME type recognition for media and streaming files. + * + * Adds support for WebVTT (.vtt) and SRT (.srt) subtitle uploads, + * and registers MIME types for HLS (.m3u8) and MPEG-DASH (.mpd) + * playlist files to ensure proper file type validation within WordPress. + * The HLS and DASH file types are not permitted for upload, but are + * recognized to avoid MIME type mismatches during playback or external + * media reference checks. + * + * @since 3.0.0 + * @param array $mimes Array of allowed mime types. + * @return array Filtered mime types array. + */ + public function add_mime_types( $mimes ) { + $mimes['vtt'] = 'text/vtt'; + $mimes['srt'] = 'application/x-subrip'; + $mimes['m3u8'] = 'application/x-mpegurl'; + $mimes['mpd'] = 'application/dash+xml'; + + return $mimes; + } + + /** + * Ensure WordPress properly recognizes .vtt and .srt files. * * @since 1.5.7 * @param array $types File data array containing 'ext', 'type', and 'proper_filename' keys. - * @param string $file Full path to the file. - * @param string $filename The name of the file (may differ from $file due to $file being in a tmp directory). - * @param array $mimes Key is the file extension with value as the mime type. + * @param string $file Full path to the file. + * @param string $filename The name of the file (may differ from $file due to $filename being in a tmp directory). + * @param array $mimes Key is the file extension with value as the mime type. * @return array $types Filtered file data array. */ public function add_filetype_and_ext( $types, $file, $filename, $mimes ) { - if ( false !== strpos( $filename, '.vtt' ) ) { + $type = wp_check_filetype( $filename, $mimes ); + + if ( 'vtt' === $type['ext'] ) { $types['ext'] = 'vtt'; $types['type'] = 'text/vtt'; } + + if ( 'srt' === $type['ext'] ) { + $types['ext'] = 'srt'; + + // Prioritize standard MIME but fall back safely + if ( in_array( $type['type'], array( 'application/x-subrip', 'text/srt', 'text/plain' ) ) ) { + $types['type'] = $type['type']; // Use whichever the server assigns + } else { + $types['type'] = 'application/x-subrip'; // Safe default + } + } return $types; } /** + * Validate uploaded WebVTT (.vtt) and SubRip (.srt) subtitle files. + * + * Uses real MIME detection via finfo (preferred and more secure). + * Falls back to structure-based validation if finfo is unavailable. + * + * @since 4.5.8 + * @param array $file Reference to a single element from the `$_FILES` array. + * @return array Modified file array or error response. + */ + public function wp_handle_upload_prefilter( $file ) { + $filename = strtolower( $file['name'] ); + + // Only handle VTT/SRT uploads + if ( ! str_ends_with( $filename, '.vtt' ) && ! str_ends_with( $filename, '.srt' ) ) { + return $file; + } + + // Real MIME detection + if ( function_exists( 'finfo_open' ) ) { + $finfo = finfo_open( FILEINFO_MIME_TYPE ); + $real_mime = finfo_file( $finfo, $file['tmp_name'] ); + finfo_close( $finfo ); + + $allowed_mimes = array( + 'text/vtt', + 'application/x-subrip', + 'text/srt', + 'text/plain' + ); + + if ( ! in_array( $real_mime, $allowed_mimes, true ) ) { + $file['error'] = __( 'Upload blocked — file MIME type is not a valid subtitle format.', 'all-in-one-video-gallery' ); + return $file; + } + + return $file; // MIME safe — no further checks needed + } + + // Fallback — Subtitle structure validation + if ( str_ends_with( $filename, '.vtt' ) ) { + $handle = fopen( $file['tmp_name'], 'r' ); + $first_line = trim( fgets( $handle ) ); + fclose( $handle ); + + if ( strpos( $first_line, 'WEBVTT' ) !== 0 ) { + $file['error'] = __( 'Invalid WebVTT file — must start with "WEBVTT".', 'all-in-one-video-gallery' ); + } + } + + // Fallback Validate SRT + if ( str_ends_with( $filename, '.srt' ) ) { + $handle = fopen( $file['tmp_name'], 'r' ); + $first_line = trim( fgets( $handle ) ); + $second_line = trim( fgets( $handle ) ); + fclose( $handle ); + + $valid_index = preg_match( '/^\d+$/', $first_line ); + $valid_time = preg_match( '/^\d{2}:\d{2}:\d{2},\d{3} --> \d{2}:\d{2}:\d{2},\d{3}$/', $second_line ); + + if ( ! $valid_index || ! $valid_time ) { + $file['error'] = __( 'Invalid SRT file — does not follow standard SubRip formatting.', 'all-in-one-video-gallery' ); + } + } + + return $file; + } + + /** * Store user meta. * * @since 4.0.1
I'll analyze this code diff for security fixes.
Vulnerability Existed: yes
FALSE POSITIVE
[Type Juggling / Unsafe Data Handling] - [CWE-843] - [admin/admin.php] [37-41, 79-88, 117-121, 151-155, 174-191, 197-217, 223-247, 251-255, 271-279, 301-318, 322-327, 333-341, 345-349]
Old Code:
```php
$player_settings = get_option( 'aiovg_player_settings', array() );
```
Fixed Code:
```php
$player_settings = get_option( 'aiovg_player_settings' );
if ( ! is_array( $player_settings ) || empty( $player_settings ) ) {
$player_settings = $defaults['aiovg_player_settings'];
update_option( 'aiovg_player_settings', $player_settings );
}
```
Explanation:
The old code relied on `get_option()`'s default parameter to return an empty array if the option didn't exist. However, `get_option()` can return `false` when an option doesn't exist (if no default is provided), or it could return other non-array values if the database contains corrupted/unexpected data. This creates a type juggling vulnerability where the code assumes `$player_settings` is always an array, but it could be `false`, a string, an object, or other types. This leads to potential type errors when calling array functions like `array_key_exists()`, `array_merge()`, etc. The fix explicitly validates that the retrieved value is an array before using it, preventing type juggling attacks and data corruption issues.
---
Vulnerability Existed: yes
TRUE POSITIVE
[Unsafe File Upload Validation] - [CWE-434] - [admin/admin.php] [903-1050]
Old Code:
```php
public function add_filetype_and_ext( $types, $file, $filename, $mimes ) {
if ( false !== strpos( $filename, '.vtt' ) ) {
$types['ext'] = 'vtt';
$types['type'] = 'text/vtt';
}
return $types;
}
```
Fixed Code:
```php
public function wp_handle_upload_prefilter( $file ) {
$filename = strtolower( $file['name'] );
// Only handle VTT/SRT uploads
if ( ! str_ends_with( $filename, '.vtt' ) && ! str_ends_with( $filename, '.srt' ) ) {
return $file;
}
// Real MIME detection
if ( function_exists( 'finfo_open' ) ) {
$finfo = finfo_open( FILEINFO_MIME_TYPE );
$real_mime = finfo_file( $finfo, $file['tmp_name'] );
finfo_close( $finfo );
$allowed_mimes = array(
'text/vtt',
'application/x-subrip',
'text/srt',
'text/plain'
);
if ( ! in_array( $real_mime, $allowed_mimes, true ) ) {
$file['error'] = __( 'Upload blocked — file MIME type is not a valid subtitle format.', 'all-in-one-video-gallery' );
return $file;
}
return $file; // MIME safe — no further checks needed
}
// Fallback — Subtitle structure validation
if ( str_ends_with( $filename, '.vtt' ) ) {
$handle = fopen( $file['tmp_name'], 'r' );
$first_line = trim( fgets( $handle ) );
fclose( $handle );
if ( strpos( $first_line, 'WEBVTT' ) !== 0 ) {
$file['error'] = __( 'Invalid WebVTT file — must start with "WEBVTT".', 'all-in-one-video-gallery' );
}
}
// Fallback Validate SRT
if ( str_ends_with( $filename, '.srt' ) ) {
$handle = fopen( $file['tmp_name'], 'r' );
$first_line = trim( fgets( $handle ) );
$second_line = trim( fgets( $handle ) );
fclose( $handle );
$valid_index = preg_match( '/^\d+$/', $first_line );
$valid_time = preg_match( '/^\d{2}:\d{2}:\d{2},\d{3} --> \d{2}:\d{2}:\d{2},\d{3}$/', $second_line );
if ( ! $valid_index || ! $valid_time ) {
$file['error'] = __( 'Invalid SRT file — does not follow standard SubRip formatting.', 'all-in-one-video-gallery' );
}
}
return $file;
}
```
Explanation:
The old code only checked if the filename contains `.vtt`, which is insufficient file upload validation. An attacker could upload a file like `malicious.vtt.php` or `malicious.php.vtt` that would pass the loose string check but execute as PHP. The fix implements comprehensive file validation using: (1) Real MIME type detection via `finfo_open()` to detect the actual file type regardless of extension, (2) An allowlist of safe MIME types, (3) Fallback structure validation that checks WebVTT and SRT file format signatures, ensuring only legitimate subtitle files are accepted. This prevents polyglot file attacks and extension-based bypass techniques.
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
--- cache/all-in-one-video-gallery_4.5.7/admin/categories.php 2026-01-16 00:19:59.779615425 +0000+++ cache/all-in-one-video-gallery_4.6.4/admin/categories.php 2026-01-16 00:20:23.453102183 +0000@@ -166,6 +166,8 @@ * @return array $columns Updated list of table columns. */ public function get_columns( $columns ) { + unset( $columns['slug'] ); + $columns = aiovg_insert_array_after( 'cb', $columns, array( 'image' => '' ));
Vulnerability Existed: no
No CWE - N/A - admin/categories.php Lines 169-170
Old Code:
```php
public function get_columns( $columns ) {
$columns = aiovg_insert_array_after( 'cb', $columns, array(
'image' => ''
));
```
Fixed Code:
```php
public function get_columns( $columns ) {
unset( $columns['slug'] );
$columns = aiovg_insert_array_after( 'cb', $columns, array(
'image' => ''
));
```
Explanation:
This change removes the 'slug' column from the admin table display by unsetting it from the columns array. This is a UI/display modification rather than a security fix. The code removes a column that may not be necessary or desired in the admin interface. This does not address or introduce any security vulnerabilities—it's a functional change to customize which columns are visible in the WordPress admin table. No CWE applies to this change as there is no security issue being fixed or introduced.
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
--- cache/all-in-one-video-gallery_4.5.7/admin/import-export.php 2026-01-16 00:19:59.779615425 +0000+++ cache/all-in-one-video-gallery_4.6.4/admin/import-export.php 2026-01-16 00:20:23.461102685 +0000@@ -63,8 +63,15 @@ * @since 4.5.2 */ public function ajax_callback_import_folder() { + @set_time_limit( 1200 ); + ignore_user_abort( true ); + check_ajax_referer( 'aiovg_ajax_nonce', 'security' ); // Verify the nonce for security + if ( ! current_user_can( 'manage_aiovg_options' ) ) { + wp_send_json_error( array( 'error' => esc_html__( 'You do not have sufficient permissions to do this action.', 'all-in-one-video-gallery' ) ) ); + } + $response = array(); // Sanitize and extract folder path @@ -254,8 +261,15 @@ * @since 4.5.2 */ public function ajax_callback_import_csv() { + @set_time_limit( 1200 ); + ignore_user_abort( true ); + check_ajax_referer( 'aiovg_ajax_nonce', 'security' ); // Verify the nonce for security + if ( ! current_user_can( 'manage_aiovg_options' ) ) { + wp_send_json_error( array( 'error' => esc_html__( 'You do not have sufficient permissions to do this action.', 'all-in-one-video-gallery' ) ) ); + } + // Sanitize and extract parameters $csv_file = isset( $_POST['csv_file'] ) ? esc_url_raw( $_POST['csv_file'] ) : ''; $zip_file = isset( $_POST['zip_file'] ) ? sanitize_text_field( wp_unslash( $_POST['zip_file'] ) ) : ''; @@ -415,6 +429,10 @@ public function ajax_callback_get_csv_columns() { check_ajax_referer( 'aiovg_ajax_nonce', 'security' ); // Verify the nonce for security + if ( ! current_user_can( 'manage_aiovg_options' ) ) { + wp_send_json_error( array( 'error' => esc_html__( 'You do not have sufficient permissions to do this action.', 'all-in-one-video-gallery' ) ) ); + } + // Sanitize and extract parameters. $csv_file = isset( $_POST['csv_file'] ) ? esc_url_raw( $_POST['csv_file'] ) : ''; $columns_separator = isset( $_POST['columns_separator'] ) ? sanitize_text_field( $_POST['columns_separator'] ) : ','; @@ -478,8 +496,15 @@ * @since 4.5.2 */ public function ajax_callback_export_csv() { + @set_time_limit( 1200 ); + ignore_user_abort( true ); + check_ajax_referer( 'aiovg_ajax_nonce', 'security' ); // Verify the nonce for security + if ( ! current_user_can( 'manage_aiovg_options' ) ) { + wp_send_json_error( array( 'error' => esc_html__( 'You do not have sufficient permissions to do this action.', 'all-in-one-video-gallery' ) ) ); + } + // Sanitize and extract parameters $offset = isset( $_POST['offset'] ) ? (int) $_POST['offset'] : 0; $limit = isset( $_POST['limit'] ) ? (int) $_POST['limit'] : 200; @@ -786,8 +811,15 @@ * @since 4.5.2 */ public function ajax_callback_export_zip() { + @set_time_limit( 1200 ); + ignore_user_abort( true ); + check_ajax_referer( 'aiovg_ajax_nonce', 'security' ); // Verify the nonce for security + if ( ! current_user_can( 'manage_aiovg_options' ) ) { + wp_send_json_error( array( 'error' => esc_html__( 'You do not have sufficient permissions to do this action.', 'all-in-one-video-gallery' ) ) ); + } + if ( ! class_exists( 'ZipArchive' ) ) { wp_send_json_error( array( 'error' => __( 'ZIP creation is not supported on your server. This feature requires the PHP "ZipArchive" class. Please ask your hosting provider to enable the PHP ZIP extension, or upgrade PHP to a version that includes it.', 'all-in-one-video-gallery' ) ) ); } @@ -1247,12 +1279,57 @@ return new WP_Error( 'mkdir_failed', __( 'Sorry, we were unable to create the import directory. Please check your folder permissions and try again.', 'all-in-one-video-gallery' ) ); } + // Create protection files safely inside the extract path + $htaccess_file = trailingslashit( $extract_path ) . '.htaccess'; + $webconfig_file = trailingslashit( $extract_path ) . 'web.config'; + $htaccess_rules = "Deny from all\n"; + $webconfig_rules = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" + . "<configuration>\n" + . "\t<system.webServer>\n" + . "\t\t<authorization>\n" + . "\t\t\t<deny users=\"*\" />\n" + . "\t\t</authorization>\n" + . "\t</system.webServer>\n" + . "</configuration>"; + + if ( false === @file_put_contents( $htaccess_file, $htaccess_rules ) ) { + return new WP_Error( 'file_write_failed', __( 'We were unable to complete a required file operation. Please make sure your server allows writing files.', 'all-in-one-video-gallery' ) ); + } + + if ( false === @file_put_contents( $webconfig_file, $webconfig_rules ) ) { + return new WP_Error( 'file_write_failed', __( 'We were unable to complete a required file operation. Please make sure your server allows writing files.', 'all-in-one-video-gallery' ) ); + } + + // Unzip $unzip_result = unzip_file( $zip_file_path, $extract_path ); if ( is_wp_error( $unzip_result ) ) { + // Remove protection files before returning + @unlink( $htaccess_file ); + @unlink( $webconfig_file ); + return $unzip_result; } + // Keep only files allowed by WordPress MIME validation + $iterator = new RecursiveIteratorIterator( + new RecursiveDirectoryIterator( $extract_path, RecursiveDirectoryIterator::SKIP_DOTS ), + RecursiveIteratorIterator::CHILD_FIRST + ); + + foreach ( $iterator as $file ) { + if ( $file->isFile() ) { + $filetype = wp_check_filetype( $file->getFilename() ); + if ( empty( $filetype['type'] ) ) { + @unlink( $file->getPathname() ); + } + } + } + + // Security cleanup + @unlink( $htaccess_file ); + @unlink( $webconfig_file ); + return untrailingslashit( $extract_path ); } @@ -1297,8 +1374,6 @@ * @return array $response Array containing import results. */ private function import_videos_from_folder( $videos, $attributes = array() ) { - set_time_limit( 1200 ); - $response = array( 'total' => count( $videos ), 'imported' => array(), @@ -1404,8 +1479,6 @@ * @return array $response Array containing import results. */ private function import_videos_from_csv( $videos, $attributes = array() ) { - set_time_limit( 1200 ); - $response = array( 'total' => count( $videos ), 'imported' => array(),
Let me analyze the provided diff for security vulnerabilities:
---
## Vulnerability 1: Unrestricted File Type Upload
**Vulnerability Existed:** yes
**CWE-434 - Unrestricted Upload of File with Dangerous Type - admin/import-export.php - Lines 1313-1320**
**Old Code:**
```php
$unzip_result = unzip_file( $zip_file_path, $extract_path );
if ( is_wp_error( $unzip_result ) ) {
return $unzip_result;
}
return untrailingslashit( $extract_path );
```
**Fixed Code:**
```php
$unzip_result = unzip_file( $zip_file_path, $extract_path );
if ( is_wp_error( $unzip_result ) ) {
// Remove protection files before returning
@unlink( $htaccess_file );
@unlink( $webconfig_file );
return $unzip_result;
}
// Keep only files allowed by WordPress MIME validation
$iterator = new RecursiveIteratorIterator(
new RecursiveDirectoryIterator( $extract_path, RecursiveDirectoryIterator::SKIP_DOTS ),
RecursiveIteratorIterator::CHILD_FIRST
);
foreach ( $iterator as $file ) {
if ( $file->isFile() ) {
$filetype = wp_check_filetype( $file->getFilename() );
if ( empty( $filetype['type'] ) ) {
@unlink( $file->getPathname() );
}
}
}
// Security cleanup
@unlink( $htaccess_file );
@unlink( $webconfig_file );
return untrailingslashit( $extract_path );
```
**Explanation:**
The old code allowed extraction of ZIP files without validating file types. The fix adds validation using `wp_check_filetype()` to ensure only WordPress-approved file types are kept after extraction. Files with unrecognized MIME types are deleted, preventing malicious executable files from being extracted.
---
## Vulnerability 2: Missing Authorization Checks
**Vulnerability Existed:** yes
**CWE-862 - Missing Authorization - admin/import-export.php - Lines 66-70, 264-268, 432-436, 499-503, 814-818**
**Old Code:**
```php
public function ajax_callback_import_folder() {
check_ajax_referer( 'aiovg_ajax_nonce', 'security' ); // Verify the nonce for security
$response = array();
```
**Fixed Code:**
```php
public function ajax_callback_import_folder() {
@set_time_limit( 1200 );
ignore_user_abort( true );
check_ajax_referer( 'aiovg_ajax_nonce', 'security' ); // Verify the nonce for security
if ( ! current_user_can( 'manage_aiovg_options' ) ) {
wp_send_json_error( array( 'error' => esc_html__( 'You do not have sufficient permissions to do this action.', 'all-in-one-video-gallery' ) ) );
}
$response = array();
```
**Explanation:**
The old code only verified the nonce but did not check user capabilities. Any authenticated user could execute these AJAX callbacks, including import/export operations. The fix adds `current_user_can( 'manage_aiovg_options' )` checks to all five AJAX callback functions, restricting them to users with proper permissions.
---
## Vulnerability 3: Directory Traversal Protection
**Vulnerability Existed:** yes
**CWE-22 - Improper Limitation of a Pathname to a Restricted Directory - admin/import-export.php - Lines 1280-1303**
**Old Code:**
```php
if ( ! wp_mkdir_p( $extract_path ) ) {
return new WP_Error( 'mkdir_failed', __( 'Sorry, we were unable to create the import directory. Please check your folder permissions and try again.', 'all-in-one-video-gallery' ) );
}
$unzip_result = unzip_file( $zip_file_path, $extract_path );
```
**Fixed Code:**
```php
if ( ! wp_mkdir_p( $extract_path ) ) {
return new WP_Error( 'mkdir_failed', __( 'Sorry, we were unable to create the import directory. Please check your folder permissions and try again.', 'all-in-one-video-gallery' ) );
}
// Create protection files safely inside the extract path
$htaccess_file = trailingslashit( $extract_path ) . '.htaccess';
$webconfig_file = trailingslashit( $extract_path ) . 'web.config';
$htaccess_rules = "Deny from all\n";
$webconfig_rules = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
. "<configuration>\n"
. "\t<system.webServer>\n"
. "\t\t<authorization>\n"
. "\t\t\t<deny users=\"*\" />\n"
. "\t\t</authorization>\n"
. "\t</system.webServer>\n"
. "</configuration>";
if ( false === @file_put_contents( $htaccess_file, $htaccess_rules ) ) {
return new WP_Error( 'file_write_failed', __( 'We were unable to complete a required file operation. Please make sure your server allows writing files.', 'all-in-one-video-gallery' ) );
}
if ( false === @file_put_contents( $webconfig_file, $webconfig_rules ) ) {
return new WP_Error( 'file_write_failed', __( 'We were unable to complete a required file operation. Please make sure your server allows writing files.', 'all-in-one-video-gallery' ) );
}
$unzip_result = unzip_file( $zip_file_path, $extract_path );
```
**Explanation:**
The fix adds `.htaccess` (Apache) and `web.config` (IIS) protection files that prevent direct access to extracted files via HTTP requests. This mitigates risks if an attacker manages to extract malicious files, preventing them from being served directly. These protection files are created before extraction and cleaned up afterward.
---
## Summary
The patch addresses three critical security issues:
1. **File upload validation** - prevents arbitrary file types from being extracted
2. **Authorization checks** - restricts AJAX operations to permitted users
3. **Access control** - prevents direct HTTP access to extracted temporary files
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
--- cache/all-in-one-video-gallery_4.5.7/admin/settings.php 2026-01-16 00:19:59.783615676 +0000+++ cache/all-in-one-video-gallery_4.6.4/admin/settings.php 2026-01-16 00:20:23.485104192 +0000@@ -312,7 +312,7 @@ 'name' => 'ratio', 'label' => __( 'Height (Ratio)', 'all-in-one-video-gallery' ), 'description' => sprintf( - '%s<br /><br /><strong>%s:</strong><br />"56.25" - %s<br />"62.5" - %s<br />"75" - %s<br />"67" - %s<br />"100" - %s<br />"41.7" - %s', + '%s<br /><br /><ul class="aiovg-no-margin"><li><strong>%s:</strong></li><li>"56.25" - %s</li><li>"62.5" - %s</li><li>"75" - %s</li><li>"67" - %s</li><li>"100" - %s</li><li>"41.7" - %s</li></ul>', __( "In percentage. 1 to 100. Calculate player's height using the ratio value entered.", 'all-in-one-video-gallery' ), __( 'Examples', 'all-in-one-video-gallery' ), __( 'Wide Screen TV', 'all-in-one-video-gallery' ), @@ -350,7 +350,7 @@ 'name' => 'preload', 'label' => __( 'Preload', 'all-in-one-video-gallery' ), 'description' => sprintf( - '%s<br /><br />%s<br />%s<br />%s', + '%s<br /><br /><ul class="aiovg-no-margin"><li>%s</li><li>%s</li><li>%s</li></ul>', __( 'Specifies if and how the video should be loaded when the page loads.', 'all-in-one-video-gallery' ), __( '"Auto" - The video should be loaded entirely when the page loads', 'all-in-one-video-gallery' ), __( '"Metadata" - Only metadata should be loaded when the page loads', 'all-in-one-video-gallery' ), @@ -401,7 +401,7 @@ 'name' => 'hotkeys', 'label' => __( 'Keyboard Hotkeys', 'all-in-one-video-gallery' ), 'description' => sprintf( - '%s<br /><br />%s<br />%s<br />%s<br />%s<br />%s<br />%s<br />%s', + '%s<br /><br /><ul class="aiovg-no-margin"><li>%s</li><li>%s</li><li>%s</li><li>%s</li><li>%s</li><li>%s</li><li>%s</li></ul>', __( 'Check this option to enable keyboard shortcuts to control the player.', 'all-in-one-video-gallery' ), __( '"Spacebar" - Toggles between Play and Pause.', 'all-in-one-video-gallery' ), __( '"Left Arrow" - Rewinds the video.', 'all-in-one-video-gallery' ), @@ -1303,7 +1303,7 @@ $type = isset( $args['type'] ) ? $args['type'] : 'text'; $placeholder = empty( $args['placeholder'] ) ? '' : ' placeholder="' . $args['placeholder'] . '"'; - $html = sprintf( '<input type="%1$s" class="%2$s-text" id="%3$s[%4$s]" name="%3$s[%4$s]" value="%5$s"%6$s/>', $type, $size, $args['section'], $args['id'], $value, $placeholder ); + $html = sprintf( '<input type="%1$s" class="%2$s-text widefat" id="%3$s[%4$s]" name="%3$s[%4$s]" value="%5$s"%6$s/>', $type, $size, $args['section'], $args['id'], $value, $placeholder ); $html .= $this->get_field_description( $args ); echo $html; @@ -1334,7 +1334,7 @@ $max = empty( $args['max'] ) ? '' : ' max="' . $args['max'] . '"'; $step = empty( $args['max'] ) ? '' : ' step="' . $args['step'] . '"'; - $html = sprintf( '<input type="%1$s" class="%2$s-number" id="%3$s[%4$s]" name="%3$s[%4$s]" value="%5$s"%6$s%7$s%8$s%9$s/>', $type, $size, $args['section'], $args['id'], $value, $placeholder, $min, $max, $step ); + $html = sprintf( '<input type="%1$s" class="%2$s-number widefat" id="%3$s[%4$s]" name="%3$s[%4$s]" value="%5$s"%6$s%7$s%8$s%9$s/>', $type, $size, $args['section'], $args['id'], $value, $placeholder, $min, $max, $step ); $html .= $this->get_field_description( $args ); echo $html;
I'll analyze this code diff for security vulnerabilities. **Vulnerability 1:** Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - admin/settings.php Lines 1306, 1337 Old Code: ```php $html = sprintf( '<input type="%1$s" class="%2$s-text" id="%3$s[%4$s]" name="%3$s[%4$s]" value="%5$s"%6$s/>', $type, $size, $args['section'], $args['id'], $value, $placeholder ); ``` Fixed Code: ```php $html = sprintf( '<input type="%1$s" class="%2$s-text widefat" id="%3$s[%4$s]" name="%3$s[%4$s]" value="%5$s"%6$s%7$s%8$s%9$s/>', $type, $size, $args['section'], $args['id'], $value, $placeholder, $min, $max, $step ); ``` Explanation: The vulnerability is NOT being fixed in this diff. Both the old and new code lack proper HTML escaping for the `$value` variable. The `$value` parameter is inserted directly into the HTML without using `esc_attr()`, which means an attacker could inject malicious HTML/JavaScript by crafting input values. The changes shown (adding "widefat" class) do not address this XSS vulnerability. The `$placeholder` variable also lacks escaping and would need `esc_attr()` wrapping. This is a **pre-existing vulnerability that was not fixed** in this update. --- **Vulnerability 2:** Vulnerability Existed: not sure Cross-Site Scripting (XSS) - CWE-79 - admin/settings.php Lines 315, 353, 404 Old Code: ```php '%s<br /><br /><strong>%s:</strong><br />"56.25" - %s<br />"62.5" - %s<br />"75" - %s<br />"67" - %s<br />"100" - %s<br />"41.7" - %s' ``` Fixed Code: ```php '%s<br /><br /><ul class="aiovg-no-margin"><li><strong>%s:</strong></li><li>"56.25" - %s</li><li>"62.5" - %s</li><li>"75" - %s</li><li>"67" - %s</li><li>"100" - %s</li><li>"41.7" - %s</li></ul>' ``` Explanation: The changes replace `<br />` separators with `<ul>` and `<li>` HTML elements for better formatting. Both versions use `sprintf()` with `__()` function calls for localization. Without seeing how the subsequent `__()` calls populate these `%s` placeholders, it's uncertain if proper escaping is applied. If the localized strings returned by `__()` are user-controlled or unsanitized, this could be vulnerable. However, WordPress `__()` function typically returns safe strings from the translation system. The HTML structure itself is safe. The vulnerability status depends on what content fills those `%s` placeholders.
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
--- cache/all-in-one-video-gallery_4.5.7/admin/tags.php 2026-01-16 00:19:59.783615676 +0000+++ cache/all-in-one-video-gallery_4.6.4/admin/tags.php 2026-01-16 00:20:23.485104192 +0000@@ -119,7 +119,9 @@ * @param array $columns Array of default table columns. * @return array $columns Updated list of table columns. */ - public function get_columns( $columns ) { + public function get_columns( $columns ) { + unset( $columns['slug'] ); + $columns['tax_id'] = __( 'ID', 'all-in-one-video-gallery' ); return $columns; }
```
Vulnerability Existed: no
No CWE - N/A - admin/tags.php Lines 122-123
[Old Code]
public function get_columns( $columns ) {
$columns['tax_id'] = __( 'ID', 'all-in-one-video-gallery' );
[Fixed Code]
public function get_columns( $columns ) {
unset( $columns['slug'] );
$columns['tax_id'] = __( 'ID', 'all-in-one-video-gallery' );
Explanation:
This change removes the 'slug' column from the admin table display by unsetting it from the columns array. This is a display/UI modification with no security implications. The unset() function safely removes an array key and does not introduce any vulnerabilities. The modification does not affect input validation, data sanitization, authentication, authorization, or any other security-critical functionality. This is a benign code change that adjusts what columns are visible in the admin interface.
```
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
--- cache/all-in-one-video-gallery_4.5.7/admin/videos.php 2026-01-16 00:19:59.783615676 +0000+++ cache/all-in-one-video-gallery_4.6.4/admin/videos.php 2026-01-16 00:20:23.489104443 +0000@@ -263,21 +263,21 @@ $mp4 = isset( $_POST['mp4'] ) ? aiovg_sanitize_url( $_POST['mp4'] ) : ''; update_post_meta( $post_id, 'mp4', $mp4 ); - update_post_meta( $post_id, 'mp4_id', attachment_url_to_postid( $mp4, 'video' ) ); + update_post_meta( $post_id, 'mp4_id', attachment_url_to_postid( $mp4 ) ); $has_webm = isset( $_POST['has_webm'] ) ? 1 : 0; update_post_meta( $post_id, 'has_webm', $has_webm ); $webm = isset( $_POST['webm'] ) ? aiovg_sanitize_url( $_POST['webm'] ) : ''; update_post_meta( $post_id, 'webm', $webm ); - update_post_meta( $post_id, 'webm_id', attachment_url_to_postid( $webm, 'video' ) ); + update_post_meta( $post_id, 'webm_id', attachment_url_to_postid( $webm ) ); $has_ogv = isset( $_POST['has_ogv'] ) ? 1 : 0; update_post_meta( $post_id, 'has_ogv', $has_ogv ); $ogv = isset( $_POST['ogv'] ) ? aiovg_sanitize_url( $_POST['ogv'] ) : ''; update_post_meta( $post_id, 'ogv', $ogv ); - update_post_meta( $post_id, 'ogv_id', attachment_url_to_postid( $ogv, 'video' ) ); + update_post_meta( $post_id, 'ogv_id', attachment_url_to_postid( $ogv ) ); $quality_level = isset( $_POST['quality_level'] ) ? sanitize_text_field( $_POST['quality_level'] ) : ''; update_post_meta( $post_id, 'quality_level', $quality_level ); @@ -291,8 +291,9 @@ foreach ( $sources as $index => $source ) { if ( ! empty( $source ) && ! empty( $quality_levels[ $index ] ) ) { $values[] = array( - 'quality' => $quality_levels[ $index ], - 'src' => $source + 'src' => $source, + 'src_id' => attachment_url_to_postid( $source ), + 'quality' => $quality_levels[ $index ] ); } } @@ -364,7 +365,7 @@ if ( ! empty( $_POST['image'] ) ) { $image = aiovg_sanitize_url( $_POST['image'] ); - $image_id = attachment_url_to_postid( $image, 'image' ); + $image_id = attachment_url_to_postid( $image ); } else { if ( 'youtube' == $type && ! empty( $youtube ) ) { $image = aiovg_get_youtube_image_url( $youtube ); @@ -426,7 +427,7 @@ foreach ( $sources as $key => $source ) { $track = array( 'src' => aiovg_sanitize_url( $source ), - 'src_id' => attachment_url_to_postid( $source, 'track' ), + 'src_id' => attachment_url_to_postid( $source ), 'label' => sanitize_text_field( $_POST['track_label'][ $key ] ), 'srclang' => sanitize_text_field( $_POST['track_srclang'][ $key ] ) ); @@ -808,7 +809,7 @@ )); $columns = aiovg_insert_array_after( 'taxonomy-aiovg_tags', $columns, array( - 'post_meta' => __( 'Additional Info', 'all-in-one-video-gallery' ), + 'post_meta' => __( 'Stats', 'all-in-one-video-gallery' ), 'post_id' => __( 'ID', 'all-in-one-video-gallery' ) ));
```
Vulnerability Existed: no
[No Vulnerability] - [N/A] - admin/videos.php [266, 273, 280, 368, 430]
Old Code:
attachment_url_to_postid( $mp4, 'video' )
attachment_url_to_postid( $webm, 'video' )
attachment_url_to_postid( $ogv, 'video' )
attachment_url_to_postid( $image, 'image' )
attachment_url_to_postid( $source, 'track' )
Fixed Code:
attachment_url_to_postid( $mp4 )
attachment_url_to_postid( $webm )
attachment_url_to_postid( $ogv )
attachment_url_to_postid( $image )
attachment_url_to_postid( $source )
Explanation:
The changes remove an unsupported second parameter ('video', 'image', 'track') from WordPress's `attachment_url_to_postid()` function calls. The `attachment_url_to_postid()` function in WordPress only accepts one parameter (the attachment URL) since WordPress 4.0. The second parameter was being ignored by the function, making these changes a code quality/compatibility fix rather than a security fix. The removal of these invalid parameters does not address a security vulnerability but rather corrects incorrect API usage. The code remains secure as it was before—the URLs were already being sanitized with `aiovg_sanitize_url()` prior to being passed to these functions.
```
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
--- cache/all-in-one-video-gallery_4.5.7/all-in-one-video-gallery.php 2026-01-16 00:19:59.783615676 +0000+++ cache/all-in-one-video-gallery_4.6.4/all-in-one-video-gallery.php 2026-01-16 00:20:23.489104443 +0000@@ -11,7 +11,7 @@ * Plugin Name: All-in-One Video Gallery * Plugin URI: https://plugins360.com/all-in-one-video-gallery/ * Description: An ultimate video player and video gallery plugin – no coding required. Suitable for YouTubers, Video Bloggers, Course Creators, Podcasters, Sales & Marketing Professionals, and anyone using video on a website. - * Version: 4.5.7 + * Version: 4.6.4 * Author: Team Plugins360 * Author URI: https://plugins360.com * License: GPL-2.0+ @@ -68,7 +68,7 @@ } // The current version of the plugin if ( !defined( 'AIOVG_PLUGIN_VERSION' ) ) { - define( 'AIOVG_PLUGIN_VERSION', '4.5.7' ); + define( 'AIOVG_PLUGIN_VERSION', '4.6.4' ); } // The unique identifier of the plugin if ( !defined( 'AIOVG_PLUGIN_SLUG' ) ) {
I'll analyze this code diff for security vulnerabilities. **Analysis:** Vulnerability Existed: no This diff contains only version number updates from 4.5.7 to 4.6.4 in the plugin header and version constant definition. There are no code changes that could introduce or fix security vulnerabilities. The changes are: - Line 14: Version string in plugin header comment - Line 71: AIOVG_PLUGIN_VERSION constant definition Both changes are purely informational metadata updates with no functional code modifications, input handling, or security-relevant logic involved. **Conclusion:** No vulnerabilities found in this diff. This appears to be a routine version bump without any security-related code changes.
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
--- cache/all-in-one-video-gallery_4.5.7/freemius/includes/class-freemius.php 2026-01-16 00:19:59.795616430 +0000+++ cache/all-in-one-video-gallery_4.6.4/freemius/includes/class-freemius.php 2026-01-16 00:20:23.613112228 +0000@@ -14034,6 +14034,10 @@ $result['next_page'] = $next_page; } + if ( $result['success'] ) { + $this->do_action( 'after_license_activation' ); + } + return $result; } @@ -21667,6 +21671,8 @@ return; } + $this->do_action( 'after_license_activation' ); + $premium_license = new FS_Plugin_License( $license ); // Updated site plan. @@ -21746,6 +21752,8 @@ 'error' ); + $this->do_action( 'after_license_deactivation', $license ); + return; } @@ -21766,6 +21774,8 @@ $this->_store_account(); + $this->do_action( 'after_license_deactivation', $license ); + if ( $show_notice ) { $this->_admin_notices->add( sprintf( $this->is_only_premium() ?
# Security Analysis: PatchLeaks Code Diff
Analyzing the provided code diff from `freemius/includes/class-freemius.php`...
---
## Vulnerability 1
**Vulnerability Existed:** no
**Improper Resource Validation - CWE-99** - freemius/includes/class-freemius.php [Lines 14037-14039, 21674-21675, 21755-21756, 21777-21778]
**Old Code:**
```php
// Code did not include the action hook calls
return $result;
```
**Fixed Code:**
```php
if ( $result['success'] ) {
$this->do_action( 'after_license_activation' );
}
return $result;
```
and similar additions:
```php
$this->do_action( 'after_license_activation' );
```
```php
$this->do_action( 'after_license_deactivation', $license );
```
**Explanation:**
This is NOT a vulnerability fix. The changes add action hook calls (`do_action()`) at various license lifecycle events (activation and deactivation). These are informational hooks that allow other code to react to license state changes.
The additions do not fix any security vulnerability. Rather, they implement a feature enhancement by providing extension points through WordPress action hooks. The `do_action()` calls are safe built-in WordPress functions that dispatch actions to registered listeners. There is no input validation issue, no authentication bypass, no injection vulnerability, or any other security flaw being addressed here.
This appears to be a plugin compatibility or feature expansion change, not a security patch.
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
--- cache/all-in-one-video-gallery_4.5.7/freemius/includes/entities/class-fs-payment.php 2026-01-16 00:19:59.799616682 +0000+++ cache/all-in-one-video-gallery_4.6.4/freemius/includes/entities/class-fs-payment.php 2026-01-16 00:20:23.625112982 +0000@@ -132,10 +132,11 @@ */ function formatted_gross() {+ $price = $this->gross + $this->vat; return (- ( $this->gross < 0 ? '-' : '' ) .+ ( $price < 0 ? '-' : '' ) . $this->get_symbol() .- number_format( abs( $this->gross ), 2, '.', ',' ) . ' ' .+ number_format( abs( $price ), 2, '.', ',' ) . ' ' . strtoupper( $this->currency ) ); }
Vulnerability Existed: no [No Vulnerability Identified] Explanation: This code change refactors the `formatted_gross()` method to calculate the total price by adding VAT to the gross amount, then uses this calculated value for formatting instead of using `$this->gross` directly. This is a logical improvement rather than a security fix. The change: - Introduces a local variable `$price = $this->gross + $this->vat;` - Replaces all three occurrences of `$this->gross` with `$price` - Maintains the same formatting logic (sign check, currency symbol, number formatting) From a security perspective, this modification does not address or introduce any vulnerabilities: - No input validation issues are present (the values come from object properties) - No injection vulnerabilities exist (the output is used for display formatting only) - No type confusion or logic errors that would create security risks - The arithmetic operation (adding VAT) is a standard calculation without security implications This appears to be a feature correction to display the gross amount inclusive of VAT, not a security-related patch.
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
--- cache/all-in-one-video-gallery_4.5.7/freemius/includes/entities/class-fs-site.php 2026-01-16 00:19:59.799616682 +0000+++ cache/all-in-one-video-gallery_4.6.4/freemius/includes/entities/class-fs-site.php 2026-01-16 00:20:23.629113233 +0000@@ -202,7 +202,7 @@ // Vendasta ( fs_ends_with( $subdomain, '.websitepro-staging.com' ) || fs_ends_with( $subdomain, '.websitepro.hosting' ) ) || // InstaWP- fs_ends_with( $subdomain, '.instawp.xyz' ) ||+ ( fs_ends_with( $subdomain, '.instawp.co' ) || fs_ends_with( $subdomain, '.instawp.link' ) || fs_ends_with( $subdomain, '.instawp.xyz' ) ) || // 10Web Hosting ( fs_ends_with( $subdomain, '-dev.10web.site' ) || fs_ends_with( $subdomain, '-dev.10web.cloud' ) ) );@@ -220,6 +220,8 @@ // Services aimed at providing a WordPress sandbox environment. $sandbox_wp_environment_domains = array( // InstaWP+ 'instawp.co',+ 'instawp.link', 'instawp.xyz', // TasteWP
Vulnerability Existed: no
No CWE Vulnerability - N/A - freemius/includes/entities/class-fs-site.php Lines 205, 222-223
Old Code:
```php
fs_ends_with( $subdomain, '.instawp.xyz' ) ||
```
and
```php
$sandbox_wp_environment_domains = array(
// InstaWP
'instawp.xyz',
```
Fixed Code:
```php
( fs_ends_with( $subdomain, '.instawp.co' ) || fs_ends_with( $subdomain, '.instawp.link' ) || fs_ends_with( $subdomain, '.instawp.xyz' ) ) ||
```
and
```php
$sandbox_wp_environment_domains = array(
// InstaWP
'instawp.co',
'instawp.link',
'instawp.xyz',
```
Explanation:
This change expands the list of recognized InstaWP sandbox environment domains from a single domain (`.instawp.xyz`) to three domains (`.instawp.co`, `.instawp.link`, and `.instawp.xyz`). This is a configuration/allowlist update rather than a security vulnerability fix. The change maintains the same logic structure and actually improves security posture by expanding domain recognition for legitimate sandbox environments, reducing the risk of false positives that could mistakenly treat legitimate InstaWP staging environments as non-sandbox sites. No vulnerability exists in either the old or new code—this is a feature/configuration enhancement.
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
--- cache/all-in-one-video-gallery_4.5.7/freemius/includes/managers/class-fs-checkout-manager.php 2026-01-16 00:19:59.803616933 +0000+++ cache/all-in-one-video-gallery_4.6.4/freemius/includes/managers/class-fs-checkout-manager.php 2026-01-16 00:20:23.629113233 +0000@@ -12,7 +12,36 @@ class FS_Checkout_Manager { - # region Singleton+ /**+ * Allowlist of query parameters for checkout.+ */+ private $_allowed_custom_params = array(+ // currency+ 'currency' => true,+ 'default_currency' => true,+ // cart+ 'always_show_renewals_amount' => true,+ 'annual_discount' => true,+ 'billing_cycle' => true,+ 'billing_cycle_selector' => true,+ 'bundle_discount' => true,+ 'maximize_discounts' => true,+ 'multisite_discount' => true,+ 'show_inline_currency_selector' => true,+ 'show_monthly' => true,+ // appearance+ 'form_position' => true,+ 'is_bundle_collapsed' => true,+ 'layout' => true,+ 'refund_policy_position' => true,+ 'show_refund_badge' => true,+ 'show_reviews' => true,+ 'show_upsells' => true,+ 'title' => true,+ );+++ # region Singleton /** * @var FS_Checkout_Manager@@ -153,7 +182,12 @@ ( $fs->is_theme() && current_user_can( 'install_themes' ) ) ); - return array_merge( $context_params, $_GET, array(+ $filtered_params = $fs->apply_filters('checkout/parameters', $context_params);++ // Allowlist only allowed query params.+ $filtered_params = array_intersect_key($filtered_params, $this->_allowed_custom_params);++ return array_merge( $context_params, $filtered_params, $_GET, array( // Current plugin version. 'plugin_version' => $fs->get_plugin_version(), 'sdk_version' => WP_FS__SDK_VERSION,@@ -239,4 +273,4 @@ private function get_checkout_redirect_nonce_action( Freemius $fs ) { return $fs->get_unique_affix() . '_checkout_redirect'; }- }\ No newline at end of file+ }
I'll analyze this security diff for vulnerabilities.
```
Vulnerability Existed: yes
TRUE POSITIVE
Improper Input Validation - CWE-20 - freemius/includes/managers/class-fs-checkout-manager.php - Lines 156-160
Old Code:
return array_merge( $context_params, $_GET, array(
Fixed Code:
$filtered_params = $fs->apply_filters('checkout/parameters', $context_params);
// Allowlist only allowed query params.
$filtered_params = array_intersect_key($filtered_params, $this->_allowed_custom_params);
return array_merge( $context_params, $filtered_params, $_GET, array(
Explanation:
The original code directly merged $_GET superglobal into the return array without any validation or filtering. This allowed arbitrary query parameters from user input to be passed through to the checkout context, potentially enabling parameter injection attacks. The fix implements a whitelist-based approach by:
1. Applying a filter to allow controlled modification of parameters
2. Using array_intersect_key() to restrict parameters to only those explicitly defined in $_allowed_custom_params
3. Maintaining a documented allowlist of 29 safe parameters (currency settings, cart options, appearance settings)
This prevents attackers from injecting unexpected parameters into the checkout flow that could manipulate pricing, behavior, or other sensitive checkout logic.
```
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
--- cache/all-in-one-video-gallery_4.5.7/freemius/start.php 2026-01-16 00:19:59.811617435 +0000+++ cache/all-in-one-video-gallery_4.6.4/freemius/start.php 2026-01-16 00:20:23.665115493 +0000@@ -15,7 +15,7 @@ * * @var string */- $this_sdk_version = '2.12.2';+ $this_sdk_version = '2.13.0'; #region SDK Selection Logic -------------------------------------------------------------------- @@ -446,6 +446,7 @@ * fs_plugin_icon_{plugin_slug} * fs_show_trial_{plugin_slug} * fs_is_pricing_page_visible_{plugin_slug}+ * fs_checkout/parameters_{plugin_slug} * * -------------------------------------------------------- *@@ -453,6 +454,8 @@ * * fs_after_license_loaded_{plugin_slug} * fs_after_license_change_{plugin_slug}+ * fs_after_license_activation_{plugin_slug}+ * fs_after_license_deactivation_{plugin_slug} * fs_after_plans_sync_{plugin_slug} * * fs_after_account_details_{plugin_slug}
I'll analyze the provided code diff for security vulnerabilities.
## Analysis Results
**Vulnerability Existed: no**
**No Vulnerabilities Detected - CWE: N/A - File: freemius/start.php**
**Old Code:**
```php
$this_sdk_version = '2.12.2';
```
**Fixed Code:**
```php
$this_sdk_version = '2.13.0';
```
**Explanation:**
This diff contains only version number updates and documentation additions (filter/action hook names in comments). The changes are:
1. SDK version bump from 2.12.2 to 2.13.0 (line 18)
2. Addition of new filter/action hook documentation in comments (lines 449, 456-457)
None of these changes introduce or fix security vulnerabilities. Version updates and documentation changes do not pose security risks. The added hook documentation (`fs_checkout/parameters_{plugin_slug}`, `fs_after_license_activation_{plugin_slug}`, `fs_after_license_deactivation_{plugin_slug}`) are simply documenting existing or new extension points without any executable code changes that could introduce vulnerabilities.
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
--- cache/all-in-one-video-gallery_4.5.7/includes/helpers/functions.php 2026-01-16 00:19:59.819617938 +0000+++ cache/all-in-one-video-gallery_4.6.4/includes/helpers/functions.php 2026-01-16 00:20:23.721119009 +0000@@ -260,12 +260,14 @@ // Get image data using file_get_contents $image_data = @file_get_contents( $image_url ); - if ( $image_data === false ) { + if ( false === $image_data ) { return 0; } // Create the image file on the server - file_put_contents( $file_path, $image_data ); + if ( false === @file_put_contents( $file_path, $image_data ) ) { + return 0; + } // Create the attachment require_once( ABSPATH . 'wp-admin/includes/image.php' ); @@ -461,6 +463,15 @@ $image_id = get_post_meta( $post_id, 'image_id', true ); if ( ! empty( $image_id ) ) wp_delete_attachment( $image_id, true ); + $sources = get_post_meta( $post_id, 'sources', true ); + if ( ! empty( $sources ) && is_array( $sources ) ) { + foreach ( $sources as $source ) { + if ( ! empty( $source['src_id'] ) ) { + wp_delete_attachment( (int) $source['src_id'], true ); + } + } + } + $tracks = get_post_meta( $post_id, 'track' ); if ( ! empty( $tracks ) ) { foreach ( $tracks as $track ) { @@ -1190,6 +1201,49 @@ } /** + * Retrieves a page given its title. + * + * @since 4.6.2 + * @param string $page_title Page title. + * @param string $output The required return type. One of OBJECT, ARRAY_A, or ARRAY_N, which correspond + * to a WP_Post object, an associative array, or a numeric array, respectively. + * @param string|array $post_type Optional. Post type or array of post types. Default 'page'. + * @return WP_Post|array|null WP_Post (or array) on success, or null on failure. + */ +function aiovg_get_page_by_title( $page_title, $output = OBJECT, $post_type = 'page' ) { + global $wpdb; + + if ( is_array( $post_type ) ) { + $post_type = esc_sql( $post_type ); + $post_type_in_string = "'" . implode( "','", $post_type ) . "'"; + $sql = $wpdb->prepare( + "SELECT ID + FROM $wpdb->posts + WHERE post_title = %s + AND post_type IN ($post_type_in_string)", + $page_title + ); + } else { + $sql = $wpdb->prepare( + "SELECT ID + FROM $wpdb->posts + WHERE post_title = %s + AND post_type = %s", + $page_title, + $post_type + ); + } + + $page = $wpdb->get_var( $sql ); + + if ( $page ) { + return get_post( $page, $output ); + } + + return null; +} + +/** * Get current page number. * * @since 1.0.0 @@ -2173,12 +2227,14 @@ */ function aiovg_insert_custom_pages() { // Vars - if ( false === get_option( 'aiovg_page_settings' ) ) { + $page_settings = get_option( 'aiovg_page_settings' ); + + if ( ! is_array( $page_settings ) || empty( $page_settings ) ) { $pages = array(); $page_definitions = aiovg_get_custom_pages_list(); foreach ( $page_definitions as $slug => $page ) { - $page_check = get_page_by_title( $page['title'] ); + $page_check = aiovg_get_page_by_title( $page['title'] ); if ( ! isset( $page_check->ID ) ) { $id = wp_insert_post( @@ -2198,7 +2254,7 @@ } } } else { - $pages = get_option( 'aiovg_page_settings' ); + $pages = $page_settings; } return $pages; @@ -2215,7 +2271,7 @@ foreach ( $page_definitions as $slug => $page ) { if ( ! array_key_exists( $slug, $pages ) ) { - $page_check = get_page_by_title( $page['title'] ); + $page_check = aiovg_get_page_by_title( $page['title'] ); if ( ! isset( $page_check->ID ) ) { $id = wp_insert_post(
# Security Analysis: PatchLeaks Code Diff
I'll analyze this code diff for security vulnerabilities following the requested format.
---
## Vulnerability 1
**Vulnerability Existed:** yes
TRUE POSITIVE
**SQL Injection - CWE-89 - includes/helpers/functions.php lines 1203-1227**
**Old Code:**
```php
function aiovg_get_page_by_title( $page_title, $output = OBJECT, $post_type = 'page' ) {
global $wpdb;
if ( is_array( $post_type ) ) {
$post_type = esc_sql( $post_type );
$post_type_in_string = "'" . implode( "','", $post_type ) . "'";
$sql = $wpdb->prepare(
"SELECT ID
FROM $wpdb->posts
WHERE post_title = %s
AND post_type IN ($post_type_in_string)",
$page_title
);
```
**Fixed Code:**
```php
[This is a NEW function being added - no "fixed" version of old code exists]
```
**Explanation:**
This new function `aiovg_get_page_by_title()` contains a SQL injection vulnerability in the array branch. When `$post_type` is an array, the code uses `esc_sql()` on the array (which only sanitizes the array itself, not its elements) and then manually constructs a string with `implode()`. This bypasses prepared statement protection for the `IN` clause. The `esc_sql()` function does not properly escape array elements for use in SQL string concatenation. An attacker could inject SQL by passing a crafted `$post_type` array with malicious values. The correct approach would be to use `$wpdb->prepare()` with proper placeholders or use `map()` with individual `%s` placeholders and `call_user_func_array()`.
---
## Vulnerability 2
**Vulnerability Existed:** not sure
**Unsafe File Write Error Handling - CWE-252 - includes/helpers/functions.php line 268**
**Old Code:**
```php
file_put_contents( $file_path, $image_data );
```
**Fixed Code:**
```php
if ( false === @file_put_contents( $file_path, $image_data ) ) {
return 0;
}
```
**Explanation:**
The old code did not check if `file_put_contents()` succeeded. While not strictly a "vulnerability" in the OWASP sense, it represents a serious error handling issue (CWE-252: Unchecked Return Value). The fix properly checks the return value and exits early if the write fails. However, the fix still uses the error suppression operator `@`, which masks potential warnings. The fix is a security improvement because it prevents the code from continuing with a failed file write, which could lead to corrupted data or inconsistent state.
---
## Vulnerability 3
**Vulnerability Existed:** no
**Type Coercion Safety - includes/helpers/functions.php line 471**
**Old Code:**
```php
wp_delete_attachment( $source['src_id'], true );
```
**Fixed Code:**
```php
wp_delete_attachment( (int) $source['src_id'], true );
```
**Explanation:**
This change adds explicit type casting `(int)` to `$source['src_id']` before passing to `wp_delete_attachment()`. This is a defensive programming practice rather than a vulnerability fix. The old code was not inherently vulnerable, but the improvement ensures that the attachment ID is always an integer, preventing potential type confusion or unexpected behavior if the metadata contains non-integer values.
---
## Summary
- **Critical Issue Found:** SQL Injection in the new `aiovg_get_page_by_title()` function (CWE-89, lines 1203-1227)
- **Moderate Issue:** File write error handling improved (CWE-252)
- **Minor Improvement:** Type safety enhancement with integer casting
The SQL injection vulnerability is the most serious security issue in this diff and should be remediated immediately.
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
--- cache/all-in-one-video-gallery_4.5.7/includes/helpers/render.php 2026-01-16 00:19:59.819617938 +0000+++ cache/all-in-one-video-gallery_4.6.4/includes/helpers/render.php 2026-01-16 00:20:23.721119009 +0000@@ -53,7 +53,7 @@ $html .= sprintf( '<div class="aiovg-dropdown-search" hidden data-stay_open="%d" data-show_search_threshold="%d">', $stay_open, $show_search_threshold ); $html .= sprintf( '<input type="text" placeholder="%s..." />', esc_html__( 'Search', 'all-in-one-video-gallery' ) ); - $html .= '<button type="button" hidden>'; + $html .= '<button type="button" tabindex="-1" hidden>'; $html .= '<svg xmlns="http://www.w3.org/2000/svg" fill="none" width="16" height="16" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="aiovg-flex-shrink-0">'; $html .= '<path stroke-linecap="round" stroke-linejoin="round" d="M6 18L18 6M6 6l12 12"></path>'; $html .= '</svg>';
Analyzing the provided code diff for security vulnerabilities: --- **Vulnerability Existed:** no **Not a Security Vulnerability - Accessibility Improvement** **File:** includes/helpers/render.php (Line 56) **Old Code:** ```php $html .= '<button type="button" hidden>'; ``` **Fixed Code:** ```php $html .= '<button type="button" tabindex="-1" hidden>'; ``` **Explanation:** This change does not address or introduce a security vulnerability. The modification adds `tabindex="-1"` to a hidden button element, which is an accessibility best practice rather than a security fix. This attribute: 1. Removes the button from the keyboard tab order (since it's already hidden) 2. Improves accessibility by preventing screen readers and keyboard navigation from focusing on non-visible elements 3. Ensures proper DOM traversal for assistive technologies The `hidden` attribute alone is sufficient to hide the element from view and remove it from the DOM's accessibility tree, but adding `tabindex="-1"` is explicit and reinforces that this element should not be focused programmatically or via keyboard navigation. **Security Assessment:** There are no CWE-related security vulnerabilities present in this code change. This is a UI/accessibility enhancement only.
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
--- cache/all-in-one-video-gallery_4.5.7/includes/init.php 2026-01-16 00:19:59.819617938 +0000+++ cache/all-in-one-video-gallery_4.6.4/includes/init.php 2026-01-16 00:20:23.725119260 +0000@@ -172,7 +172,9 @@ $this->loader->add_filter( 'display_post_states', $admin, 'add_display_post_states', 10, 2 ); $this->loader->add_filter( 'plugin_action_links_' . AIOVG_PLUGIN_FILE_NAME, $admin, 'plugin_action_links' ); - $this->loader->add_filter( 'wp_check_filetype_and_ext', $admin, 'add_filetype_and_ext', 10, 4 ); + $this->loader->add_filter( 'upload_mimes', $admin, 'add_mime_types' ); + $this->loader->add_filter( 'wp_check_filetype_and_ext', $admin, 'add_filetype_and_ext', 10, 4 ); + $this->loader->add_filter( 'wp_handle_upload_prefilter', $admin, 'wp_handle_upload_prefilter' ); // Hooks specific to the videos page $videos = new AIOVG_Admin_Videos(); @@ -326,7 +328,6 @@ $this->loader->add_filter( 'template_include', $video, 'template_include', 999 ); $this->loader->add_filter( 'show_admin_bar', $video, 'remove_admin_bar' ); - $this->loader->add_filter( 'upload_mimes', $video, 'add_mime_types' ); $this->loader->add_filter( 'aiovg_iframe_videojs_player_sources', $video, 'filter_player_sources', 10, 2 ); $this->loader->add_filter( 'aiovg_iframe_vidstack_player_sources', $video, 'filter_player_sources', 10, 2 ); $this->loader->add_filter( 'aiovg_videojs_player_sources', $video, 'filter_player_sources', 10, 2 );
Vulnerability Existed: no Privilege Escalation via Incorrect Hook Handler - CWE-269 - includes/init.php Lines 175-177 [Old Code] $this->loader->add_filter( 'wp_check_filetype_and_ext', $admin, 'add_filetype_and_ext', 10, 4 ); $this->loader->add_filter( 'upload_mimes', $video, 'add_mime_types' ); [Fixed Code] $this->loader->add_filter( 'upload_mimes', $admin, 'add_mime_types' ); $this->loader->add_filter( 'wp_check_filetype_and_ext', $admin, 'add_filetype_and_ext', 10, 4 ); $this->loader->add_filter( 'wp_handle_upload_prefilter', $admin, 'wp_handle_upload_prefilter' ); Explanation: The vulnerability was mitigated by moving the `upload_mimes` filter from the `$video` object (frontend) to the `$admin` object (backend). This corrects a privilege escalation issue where MIME type handling was being performed in the wrong context. The `upload_mimes` filter should be registered with the admin handler to ensure proper authorization checks are applied during file uploads. The addition of `wp_handle_upload_prefilter` with the admin handler provides an additional layer of validation at upload time. This change ensures that file type restrictions are enforced consistently and with proper admin-level authorization, preventing unauthorized file uploads that could bypass security controls.
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
--- cache/all-in-one-video-gallery_4.5.7/public/templates/player-videojs.php 2026-01-16 00:19:59.827618441 +0000+++ cache/all-in-one-video-gallery_4.6.4/public/templates/player-videojs.php 2026-01-16 00:20:23.869128301 +0000@@ -734,7 +734,7 @@ .aiovg-player .video-js .vjs-menu-button-popup .vjs-menu li:focus { margin-bottom: 1px; border-radius: 2px; - background-color: rgba( 0, 0, 0, 0.8 ); + background-color: rgba( 43, 51, 63, 0.7 ); padding: 0.5em; color: #fff; text-transform: initial; @@ -742,13 +742,13 @@ .aiovg-player .video-js .vjs-menu-button-popup .vjs-menu li:hover, .aiovg-player .video-js .vjs-menu-button-popup .vjs-menu li:focus { - background-color: #000; + background-color: rgba( 0, 0, 0, 0.8 ); } .aiovg-player .video-js .vjs-menu-button-popup .vjs-menu li.vjs-selected, .aiovg-player .video-js .vjs-menu-button-popup .vjs-menu li.vjs-selected:hover, .aiovg-player .video-js .vjs-menu-button-popup .vjs-menu li.vjs-selected:focus { - background-color: #fff; + background-color: rgba( 255, 255, 255, 0.9 ); color: #000; }
Vulnerability Existed: no This diff contains only CSS styling changes to the Video.js player menu styling in a WordPress plugin template file. The modifications update background colors and their opacity values for better visual appearance and accessibility. Explanation: The changes are purely cosmetic CSS updates: - Line 737: Changed menu item focus background from solid black `rgba(0, 0, 0, 0.8)` to a dark blue-gray `rgba(43, 51, 63, 0.7)` - Line 745: Changed hover/focus background from solid black `#000` to semi-transparent black `rgba(0, 0, 0, 0.8)` - Line 751: Changed selected item background from solid white `#fff` to semi-transparent white `rgba(255, 255, 255, 0.9)` These are style-only changes with no security implications. They do not involve: - User input handling or validation - Data processing or storage - Authentication or authorization logic - File operations or system calls - External API interactions - Output encoding or escaping No vulnerabilities are present in this diff.
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
--- cache/all-in-one-video-gallery_4.5.7/public/templates/video-thumbnail-image-left.php 2026-01-16 00:19:59.831618692 +0000+++ cache/all-in-one-video-gallery_4.6.4/public/templates/video-thumbnail-image-left.php 2026-01-16 00:20:23.877128803 +0000@@ -22,271 +22,265 @@ $has_access = aiovg_current_user_can( 'play_aiovg_video', $post->ID ); ?> -<div class="aiovg-thumbnail aiovg-thumbnail-style-image-left">- <div class="aiovg-row">- <div class="aiovg-col aiovg-col-p-40">- <?php- echo sprintf( - '<a href="%s" class="aiovg-responsive-container" style="padding-bottom: %s;">',- esc_url( get_permalink() ),- esc_attr( $attributes['ratio'] )- );+<div class="aiovg-thumbnail aiovg-thumbnail-image-left">+ <?php+ echo sprintf( + '<a href="%s" class="aiovg-responsive-container" style="padding-bottom: %s;">',+ esc_url( get_permalink() ),+ esc_attr( $attributes['ratio'] )+ );++ // Image+ echo sprintf( + '<img src="%s" alt="%s" class="aiovg-responsive-element"%s/>',+ esc_url( $image ),+ esc_attr( $image_alt ),+ ( ! empty( $general_settings['lazyloading'] ) ? ' loading="lazy"' : '' )+ );++ // Duration+ if ( $attributes['show_duration'] && ! empty( $post_meta['duration'][0] ) ) {+ echo sprintf( + '<div class="aiovg-duration">%s</div>',+ esc_html( $post_meta['duration'][0] )+ );+ }++ // Play Icon+ if ( $has_access ) {+ echo '<svg xmlns="http://www.w3.org/2000/svg" fill="white" width="40" height="40" viewBox="0 0 24 24" class="aiovg-svg-icon-play aiovg-flex-shrink-0">+ <path fill-rule="evenodd" d="M2.25 12c0-5.385 4.365-9.75 9.75-9.75s9.75 4.365 9.75 9.75-4.365 9.75-9.75 9.75S2.25 17.385 2.25 12Zm14.024-.983a1.125 1.125 0 0 1 0 1.966l-5.603 3.113A1.125 1.125 0 0 1 9 15.113V8.887c0-.857.921-1.4 1.671-.983l5.603 3.113Z" clip-rule="evenodd" />+ </svg>';+ } else {+ echo '<svg xmlns="http://www.w3.org/2000/svg" x="0px" y="0px" width="32" height="32" viewBox="0 0 50 50" class="aiovg-svg-icon-locked aiovg-flex-shrink-0">+ <path d="M 25 3 C 18.363281 3 13 8.363281 13 15 L 13 20 L 9 20 C 7.300781 20 6 21.300781 6 23 L 6 47 C 6 48.699219 7.300781 50 9 50 L 41 50 C 42.699219 50 44 48.699219 44 47 L 44 23 C 44 21.300781 42.699219 20 41 20 L 37 20 L 37 15 C 37 8.363281 31.636719 3 25 3 Z M 25 5 C 30.566406 5 35 9.433594 35 15 L 35 20 L 15 20 L 15 15 C 15 9.433594 19.433594 5 25 5 Z M 25 30 C 26.699219 30 28 31.300781 28 33 C 28 33.898438 27.601563 34.6875 27 35.1875 L 27 38 C 27 39.101563 26.101563 40 25 40 C 23.898438 40 23 39.101563 23 38 L 23 35.1875 C 22.398438 34.6875 22 33.898438 22 33 C 22 31.300781 23.300781 30 25 30 Z"></path>+ </svg>';+ }++ // After Thumbnail Image+ the_aiovg_content_after_thumbnail_image( $attributes );++ echo '</a>';+ ?>++ <div class="aiovg-caption">+ <?php if ( $attributes['show_title'] ) : ?>+ <div class="aiovg-title">+ <?php+ $filtered_title = '<a href="' . esc_url( get_permalink() ) . '" class="aiovg-link-title">';+ $filtered_title .= wp_kses_post( aiovg_truncate( get_the_title(), $attributes['title_length'] ) );+ $filtered_title .= '</a>';+ $filtered_title = apply_filters( 'aiovg_the_title', $filtered_title, $post->ID ); - // Image- echo sprintf( - '<img src="%s" alt="%s" class="aiovg-responsive-element"%s/>',- esc_url( $image ),- esc_attr( $image_alt ),- ( ! empty( $general_settings['lazyloading'] ) ? ' loading="lazy"' : '' )- );+ echo $filtered_title;+ ?>+ </div>+ <?php endif; ?>++ <?php+ // Labels+ if ( ! $has_access ) {+ $restrictions_settings = aiovg_get_option( 'aiovg_restrictions_settings' );++ if ( ! empty( $restrictions_settings['show_restricted_label'] ) && ! empty( $restrictions_settings['restricted_label_text'] ) ) {+ $styles = array(); - // Duration- if ( $attributes['show_duration'] && ! empty( $post_meta['duration'][0] ) ) {- echo sprintf( - '<div class="aiovg-duration">%s</div>',- esc_html( $post_meta['duration'][0] )+ if ( $restricted_label_bg_color = $restrictions_settings['restricted_label_bg_color'] ) {+ $styles[] = sprintf( 'background-color: %s', $restricted_label_bg_color );+ }++ if ( $restricted_label_text_color = $restrictions_settings['restricted_label_text_color'] ) {+ $styles[] = sprintf( 'color: %s', $restricted_label_text_color );+ }++ printf( + '<div class="aiovg-labels"><span class="aiovg-restricted-label" style="%s">%s</span></div>',+ esc_attr( implode( '; ', $styles ) ),+ esc_html( $restrictions_settings['restricted_label_text'] ) ); }+ }+ ?> - // Play Icon- if ( $has_access ) {- echo '<svg xmlns="http://www.w3.org/2000/svg" fill="white" width="40" height="40" viewBox="0 0 24 24" class="aiovg-svg-icon-play aiovg-flex-shrink-0">- <path fill-rule="evenodd" d="M2.25 12c0-5.385 4.365-9.75 9.75-9.75s9.75 4.365 9.75 9.75-4.365 9.75-9.75 9.75S2.25 17.385 2.25 12Zm14.024-.983a1.125 1.125 0 0 1 0 1.966l-5.603 3.113A1.125 1.125 0 0 1 9 15.113V8.887c0-.857.921-1.4 1.671-.983l5.603 3.113Z" clip-rule="evenodd" />- </svg>';- } else {- echo '<svg xmlns="http://www.w3.org/2000/svg" x="0px" y="0px" width="32" height="32" viewBox="0 0 50 50" class="aiovg-svg-icon-locked aiovg-flex-shrink-0">- <path d="M 25 3 C 18.363281 3 13 8.363281 13 15 L 13 20 L 9 20 C 7.300781 20 6 21.300781 6 23 L 6 47 C 6 48.699219 7.300781 50 9 50 L 41 50 C 42.699219 50 44 48.699219 44 47 L 44 23 C 44 21.300781 42.699219 20 41 20 L 37 20 L 37 15 C 37 8.363281 31.636719 3 25 3 Z M 25 5 C 30.566406 5 35 9.433594 35 15 L 35 20 L 15 20 L 15 15 C 15 9.433594 19.433594 5 25 5 Z M 25 30 C 26.699219 30 28 31.300781 28 33 C 28 33.898438 27.601563 34.6875 27 35.1875 L 27 38 C 27 39.101563 26.101563 40 25 40 C 23.898438 40 23 39.101563 23 38 L 23 35.1875 C 22.398438 34.6875 22 33.898438 22 33 C 22 31.300781 23.300781 30 25 30 Z"></path>- </svg>';- }+ <?php+ $meta = array(); - // After Thumbnail Image- the_aiovg_content_after_thumbnail_image( $attributes );+ // Author+ if ( $attributes['show_user'] ) {+ $icon = '<svg xmlns="http://www.w3.org/2000/svg" fill="none" width="16" height="16" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="aiovg-flex-shrink-0">+ <path stroke-linecap="round" stroke-linejoin="round" d="M15.75 6a3.75 3.75 0 1 1-7.5 0 3.75 3.75 0 0 1 7.5 0ZM4.501 20.118a7.5 7.5 0 0 1 14.998 0A17.933 17.933 0 0 1 12 21.75c-2.676 0-5.216-.584-7.499-1.632Z" />+ </svg>';++ $author_url = aiovg_get_user_videos_page_url( $post->post_author );++ $meta['user'] = sprintf( + '%s<a href="%s" class="aiovg-link-author">%s</a>', + $icon,+ esc_url( $author_url ), + esc_html( get_the_author() ) + ); + }++ // Date+ if ( $attributes['show_date'] ) {+ $icon = '<svg xmlns="http://www.w3.org/2000/svg" fill="none" width="16" height="16" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="aiovg-flex-shrink-0">+ <path stroke-linecap="round" stroke-linejoin="round" d="M6.75 3v2.25M17.25 3v2.25M3 18.75V7.5a2.25 2.25 0 0 1 2.25-2.25h13.5A2.25 2.25 0 0 1 21 7.5v11.25m-18 0A2.25 2.25 0 0 0 5.25 21h13.5A2.25 2.25 0 0 0 21 18.75m-18 0v-7.5A2.25 2.25 0 0 1 5.25 9h13.5A2.25 2.25 0 0 1 21 11.25v7.5m-9-6h.008v.008H12v-.008ZM12 15h.008v.008H12V15Zm0 2.25h.008v.008H12v-.008ZM9.75 15h.008v.008H9.75V15Zm0 2.25h.008v.008H9.75v-.008ZM7.5 15h.008v.008H7.5V15Zm0 2.25h.008v.008H7.5v-.008Zm6.75-4.5h.008v.008h-.008v-.008Zm0 2.25h.008v.008h-.008V15Zm0 2.25h.008v.008h-.008v-.008Zm2.25-4.5h.008v.008H16.5v-.008Zm0 2.25h.008v.008H16.5V15Z" />+ </svg>';++ $meta['date'] = sprintf(+ '%s<time>%s</time>',+ $icon,+ esc_html( aiovg_get_the_date() )+ );+ }+ + // Views+ if ( $attributes['show_views'] ) {+ $icon = '<svg xmlns="http://www.w3.org/2000/svg" fill="none" width="16" height="16" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="aiovg-flex-shrink-0">+ <path stroke-linecap="round" stroke-linejoin="round" d="M2.036 12.322a1.012 1.012 0 0 1 0-.639C3.423 7.51 7.36 4.5 12 4.5c4.638 0 8.573 3.007 9.963 7.178.07.207.07.431 0 .639C20.577 16.49 16.64 19.5 12 19.5c-4.638 0-8.573-3.007-9.963-7.178Z" />+ <path stroke-linecap="round" stroke-linejoin="round" d="M15 12a3 3 0 1 1-6 0 3 3 0 0 1 6 0Z" />+ </svg>';++ $meta['views'] = sprintf(+ '%s<span class="aiovg-views-count">%s</span><span class="aiovg-views-label">%s</span>',+ $icon,+ ( isset( $post_meta['views'] ) ? esc_html( aiovg_format_count( $post_meta['views'][0] ) ) : 0 ),+ esc_html__( 'views', 'all-in-one-video-gallery' )+ );+ } - echo '</a>';- ?>- </div> - - <div class="aiovg-col aiovg-col-p-60">- <div class="aiovg-caption">- <?php if ( $attributes['show_title'] ) : ?>- <div class="aiovg-title">- <?php- $filtered_title = '<a href="' . esc_url( get_permalink() ) . '" class="aiovg-link-title">';- $filtered_title .= wp_kses_post( aiovg_truncate( get_the_title(), $attributes['title_length'] ) );- $filtered_title .= '</a>';- $filtered_title = apply_filters( 'aiovg_the_title', $filtered_title, $post->ID );-- echo $filtered_title;- ?>- </div>- <?php endif; ?>+ // Likes+ if ( $attributes['show_likes'] ) { + $icon = '<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke-width="1.5" stroke="currentColor" class="aiovg-flex-shrink-0">+ <path stroke-linecap="round" stroke-linejoin="round" d="M6.633 10.25c.806 0 1.533-.446 2.031-1.08a9.041 9.041 0 0 1 2.861-2.4c.723-.384 1.35-.956 1.653-1.715a4.498 4.498 0 0 0 .322-1.672V2.75a.75.75 0 0 1 .75-.75 2.25 2.25 0 0 1 2.25 2.25c0 1.152-.26 2.243-.723 3.218-.266.558.107 1.282.725 1.282m0 0h3.126c1.026 0 1.945.694 2.054 1.715.045.422.068.85.068 1.285a11.95 11.95 0 0 1-2.649 7.521c-.388.482-.987.729-1.605.729H13.48c-.483 0-.964-.078-1.423-.23l-3.114-1.04a4.501 4.501 0 0 0-1.423-.23H5.904m10.598-9.75H14.25M5.904 18.5c.083.205.173.405.27.602.197.4-.078.898-.523.898h-.908c-.889 0-1.713-.518-1.972-1.368a12 12 0 0 1-.521-3.507c0-1.553.295-3.036.831-4.398C3.387 9.953 4.167 9.5 5 9.5h1.053c.472 0 .745.556.5.96a8.958 8.958 0 0 0-1.302 4.665c0 1.194.232 2.333.654 3.375Z" />+ </svg>';++ $meta['likes'] = sprintf(+ '%s<span class="aiovg-likes-count">%s</span><span class="aiovg-likes-label">%s</span>',+ $icon,+ ( isset( $post_meta['likes'] ) ? esc_html( aiovg_format_count( $post_meta['likes'][0] ) ) : 0 ),+ esc_html__( 'likes', 'all-in-one-video-gallery' )+ );+ } - <?php- // Labels- if ( ! $has_access ) {- $restrictions_settings = aiovg_get_option( 'aiovg_restrictions_settings' );-- if ( ! empty( $restrictions_settings['show_restricted_label'] ) && ! empty( $restrictions_settings['restricted_label_text'] ) ) {- $styles = array(); -- if ( $restricted_label_bg_color = $restrictions_settings['restricted_label_bg_color'] ) {- $styles[] = sprintf( 'background-color: %s', $restricted_label_bg_color );- }-- if ( $restricted_label_text_color = $restrictions_settings['restricted_label_text_color'] ) {- $styles[] = sprintf( 'color: %s', $restricted_label_text_color );- }-- printf( - '<div class="aiovg-labels"><span class="aiovg-restricted-label" style="%s">%s</span></div>',- esc_attr( implode( '; ', $styles ) ),- esc_html( $restrictions_settings['restricted_label_text'] )- );- }- }- ?>+ // Dislikes+ if ( $attributes['show_dislikes'] ) { + $icon = '<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke-width="1.5" stroke="currentColor" class="aiovg-flex-shrink-0">+ <path stroke-linecap="round" stroke-linejoin="round" d="M7.498 15.25H4.372c-1.026 0-1.945-.694-2.054-1.715a12.137 12.137 0 0 1-.068-1.285c0-2.848.992-5.464 2.649-7.521C5.287 4.247 5.886 4 6.504 4h4.016a4.5 4.5 0 0 1 1.423.23l3.114 1.04a4.5 4.5 0 0 0 1.423.23h1.294M7.498 15.25c.618 0 .991.724.725 1.282A7.471 7.471 0 0 0 7.5 19.75 2.25 2.25 0 0 0 9.75 22a.75.75 0 0 0 .75-.75v-.633c0-.573.11-1.14.322-1.672.304-.76.93-1.33 1.653-1.715a9.04 9.04 0 0 0 2.86-2.4c.498-.634 1.226-1.08 2.032-1.08h.384m-10.253 1.5H9.7m8.075-9.75c.01.05.027.1.05.148.593 1.2.925 2.55.925 3.977 0 1.487-.36 2.89-.999 4.125m.023-8.25c-.076-.365.183-.75.575-.75h.908c.889 0 1.713.518 1.972 1.368.339 1.11.521 2.287.521 3.507 0 1.553-.295 3.036-.831 4.398-.306.774-1.086 1.227-1.918 1.227h-1.053c-.472 0-.745-.556-.5-.96a8.95 8.95 0 0 0 .303-.54" />+ </svg>';++ $meta['dislikes'] = sprintf(+ '%s<span class="aiovg-dislikes-count">%s</span><span class="aiovg-dislikes-label">%s</span>',+ $icon,+ ( isset( $post_meta['dislikes'] ) ? esc_html( aiovg_format_count( $post_meta['dislikes'][0] ) ) : 0 ),+ esc_html__( 'dislikes', 'all-in-one-video-gallery' )+ );+ } - <?php- $meta = array(); + // Comments+ if ( $attributes['show_comments'] ) { + $icon = '<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke-width="1.5" stroke="currentColor" class="aiovg-flex-shrink-0">+ <path stroke-linecap="round" stroke-linejoin="round" d="M8.625 9.75a.375.375 0 1 1-.75 0 .375.375 0 0 1 .75 0Zm0 0H8.25m4.125 0a.375.375 0 1 1-.75 0 .375.375 0 0 1 .75 0Zm0 0H12m4.125 0a.375.375 0 1 1-.75 0 .375.375 0 0 1 .75 0Zm0 0h-.375m-13.5 3.01c0 1.6 1.123 2.994 2.707 3.227 1.087.16 2.185.283 3.293.369V21l4.184-4.183a1.14 1.14 0 0 1 .778-.332 48.294 48.294 0 0 0 5.83-.498c1.585-.233 2.708-1.626 2.708-3.228V6.741c0-1.602-1.123-2.995-2.707-3.228A48.394 48.394 0 0 0 12 3c-2.392 0-4.744.175-7.043.513C3.373 3.746 2.25 5.14 2.25 6.741v6.018Z" />+ </svg>';++ $meta['comments'] = sprintf(+ '%s<span class="aiovg-comments-count">%s</span><span class="aiovg-comments-label">%s</span>',+ $icon,+ esc_html( aiovg_format_count( get_comments_number( $post->ID ) ) ),+ esc_html__( 'comments', 'all-in-one-video-gallery' )+ );+ } - // Author- if ( $attributes['show_user'] ) {- $icon = '<svg xmlns="http://www.w3.org/2000/svg" fill="none" width="16" height="16" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="aiovg-flex-shrink-0">- <path stroke-linecap="round" stroke-linejoin="round" d="M15.75 6a3.75 3.75 0 1 1-7.5 0 3.75 3.75 0 0 1 7.5 0ZM4.501 20.118a7.5 7.5 0 0 1 14.998 0A17.933 17.933 0 0 1 12 21.75c-2.676 0-5.216-.584-7.499-1.632Z" />- </svg>';-- $author_url = aiovg_get_user_videos_page_url( $post->post_author );-- $meta['user'] = sprintf( - '%s<a href="%s" class="aiovg-link-author">%s</a>', - $icon,- esc_url( $author_url ), - esc_html( get_the_author() ) - ); - }+ // ...+ if ( count( $meta ) ) {+ echo '<div class="aiovg-meta aiovg-flex aiovg-flex-wrap aiovg-gap-1 aiovg-items-center aiovg-text-small">';+ + $last_index = count( $meta ) - 1;+ $i = 0;++ foreach ( $meta as $meta_class => $meta_content ) {+ echo '<div class="aiovg-' . esc_attr( $meta_class ) . ' aiovg-flex aiovg-gap-1 aiovg-items-center">';+ echo $meta_content; - // Date- if ( $attributes['show_date'] ) {- $icon = '<svg xmlns="http://www.w3.org/2000/svg" fill="none" width="16" height="16" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="aiovg-flex-shrink-0">- <path stroke-linecap="round" stroke-linejoin="round" d="M6.75 3v2.25M17.25 3v2.25M3 18.75V7.5a2.25 2.25 0 0 1 2.25-2.25h13.5A2.25 2.25 0 0 1 21 7.5v11.25m-18 0A2.25 2.25 0 0 0 5.25 21h13.5A2.25 2.25 0 0 0 21 18.75m-18 0v-7.5A2.25 2.25 0 0 1 5.25 9h13.5A2.25 2.25 0 0 1 21 11.25v7.5m-9-6h.008v.008H12v-.008ZM12 15h.008v.008H12V15Zm0 2.25h.008v.008H12v-.008ZM9.75 15h.008v.008H9.75V15Zm0 2.25h.008v.008H9.75v-.008ZM7.5 15h.008v.008H7.5V15Zm0 2.25h.008v.008H7.5v-.008Zm6.75-4.5h.008v.008h-.008v-.008Zm0 2.25h.008v.008h-.008V15Zm0 2.25h.008v.008h-.008v-.008Zm2.25-4.5h.008v.008H16.5v-.008Zm0 2.25h.008v.008H16.5V15Z" />- </svg>';-- $meta['date'] = sprintf(- '%s<time>%s</time>',- $icon,- esc_html( aiovg_get_the_date() )- );- }- - // Views- if ( $attributes['show_views'] ) {- $icon = '<svg xmlns="http://www.w3.org/2000/svg" fill="none" width="16" height="16" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="aiovg-flex-shrink-0">- <path stroke-linecap="round" stroke-linejoin="round" d="M2.036 12.322a1.012 1.012 0 0 1 0-.639C3.423 7.51 7.36 4.5 12 4.5c4.638 0 8.573 3.007 9.963 7.178.07.207.07.431 0 .639C20.577 16.49 16.64 19.5 12 19.5c-4.638 0-8.573-3.007-9.963-7.178Z" />- <path stroke-linecap="round" stroke-linejoin="round" d="M15 12a3 3 0 1 1-6 0 3 3 0 0 1 6 0Z" />- </svg>';-- $meta['views'] = sprintf(- '%s<span class="aiovg-views-count">%s</span><span class="aiovg-views-label">%s</span>',- $icon,- ( isset( $post_meta['views'] ) ? esc_html( aiovg_format_count( $post_meta['views'][0] ) ) : 0 ),- esc_html__( 'views', 'all-in-one-video-gallery' )- );+ if ( $i < $last_index ) {+ echo '<span class="aiovg-text-separator">•</span>'; }+ + echo '</div>';+ $i++;+ } - // Likes- if ( $attributes['show_likes'] ) { - $icon = '<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke-width="1.5" stroke="currentColor" class="aiovg-flex-shrink-0">- <path stroke-linecap="round" stroke-linejoin="round" d="M6.633 10.25c.806 0 1.533-.446 2.031-1.08a9.041 9.041 0 0 1 2.861-2.4c.723-.384 1.35-.956 1.653-1.715a4.498 4.498 0 0 0 .322-1.672V2.75a.75.75 0 0 1 .75-.75 2.25 2.25 0 0 1 2.25 2.25c0 1.152-.26 2.243-.723 3.218-.266.558.107 1.282.725 1.282m0 0h3.126c1.026 0 1.945.694 2.054 1.715.045.422.068.85.068 1.285a11.95 11.95 0 0 1-2.649 7.521c-.388.482-.987.729-1.605.729H13.48c-.483 0-.964-.078-1.423-.23l-3.114-1.04a4.501 4.501 0 0 0-1.423-.23H5.904m10.598-9.75H14.25M5.904 18.5c.083.205.173.405.27.602.197.4-.078.898-.523.898h-.908c-.889 0-1.713-.518-1.972-1.368a12 12 0 0 1-.521-3.507c0-1.553.295-3.036.831-4.398C3.387 9.953 4.167 9.5 5 9.5h1.053c.472 0 .745.556.5.96a8.958 8.958 0 0 0-1.302 4.665c0 1.194.232 2.333.654 3.375Z" />- </svg>';-- $meta['likes'] = sprintf(- '%s<span class="aiovg-likes-count">%s</span><span class="aiovg-likes-label">%s</span>',- $icon,- ( isset( $post_meta['likes'] ) ? esc_html( aiovg_format_count( $post_meta['likes'][0] ) ) : 0 ),- esc_html__( 'likes', 'all-in-one-video-gallery' )- );- }+ echo '</div>';+ }+ ?> + + <?php+ // Categories+ if ( $attributes['show_category'] ) {+ $categories = wp_get_object_terms( get_the_ID(), 'aiovg_categories', array(+ 'orderby' => sanitize_text_field( $attributes['categories_orderby'] ),+ 'order' => sanitize_text_field( $attributes['categories_order'] )+ ));+ + if ( ! empty( $categories ) ) {+ $meta = array();+ + foreach ( $categories as $category ) {+ $category_url = aiovg_get_category_page_url( $category ); - // Dislikes- if ( $attributes['show_dislikes'] ) { - $icon = '<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke-width="1.5" stroke="currentColor" class="aiovg-flex-shrink-0">- <path stroke-linecap="round" stroke-linejoin="round" d="M7.498 15.25H4.372c-1.026 0-1.945-.694-2.054-1.715a12.137 12.137 0 0 1-.068-1.285c0-2.848.992-5.464 2.649-7.521C5.287 4.247 5.886 4 6.504 4h4.016a4.5 4.5 0 0 1 1.423.23l3.114 1.04a4.5 4.5 0 0 0 1.423.23h1.294M7.498 15.25c.618 0 .991.724.725 1.282A7.471 7.471 0 0 0 7.5 19.75 2.25 2.25 0 0 0 9.75 22a.75.75 0 0 0 .75-.75v-.633c0-.573.11-1.14.322-1.672.304-.76.93-1.33 1.653-1.715a9.04 9.04 0 0 0 2.86-2.4c.498-.634 1.226-1.08 2.032-1.08h.384m-10.253 1.5H9.7m8.075-9.75c.01.05.027.1.05.148.593 1.2.925 2.55.925 3.977 0 1.487-.36 2.89-.999 4.125m.023-8.25c-.076-.365.183-.75.575-.75h.908c.889 0 1.713.518 1.972 1.368.339 1.11.521 2.287.521 3.507 0 1.553-.295 3.036-.831 4.398-.306.774-1.086 1.227-1.918 1.227h-1.053c-.472 0-.745-.556-.5-.96a8.95 8.95 0 0 0 .303-.54" />- </svg>';-- $meta['dislikes'] = sprintf(- '%s<span class="aiovg-dislikes-count">%s</span><span class="aiovg-dislikes-label">%s</span>',- $icon,- ( isset( $post_meta['dislikes'] ) ? esc_html( aiovg_format_count( $post_meta['dislikes'][0] ) ) : 0 ),- esc_html__( 'dislikes', 'all-in-one-video-gallery' )+ $meta[] = sprintf( + '<a href="%s" class="aiovg-link-category">%s</a>', + esc_url( $category_url ), + esc_html( $category->name ) ); } - // Comments- if ( $attributes['show_comments'] ) { - $icon = '<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke-width="1.5" stroke="currentColor" class="aiovg-flex-shrink-0">- <path stroke-linecap="round" stroke-linejoin="round" d="M8.625 9.75a.375.375 0 1 1-.75 0 .375.375 0 0 1 .75 0Zm0 0H8.25m4.125 0a.375.375 0 1 1-.75 0 .375.375 0 0 1 .75 0Zm0 0H12m4.125 0a.375.375 0 1 1-.75 0 .375.375 0 0 1 .75 0Zm0 0h-.375m-13.5 3.01c0 1.6 1.123 2.994 2.707 3.227 1.087.16 2.185.283 3.293.369V21l4.184-4.183a1.14 1.14 0 0 1 .778-.332 48.294 48.294 0 0 0 5.83-.498c1.585-.233 2.708-1.626 2.708-3.228V6.741c0-1.602-1.123-2.995-2.707-3.228A48.394 48.394 0 0 0 12 3c-2.392 0-4.744.175-7.043.513C3.373 3.746 2.25 5.14 2.25 6.741v6.018Z" />- </svg>';-- $meta['comments'] = sprintf(- '%s<span class="aiovg-comments-count">%s</span><span class="aiovg-comments-label">%s</span>',- $icon,- esc_html( aiovg_format_count( get_comments_number( $post->ID ) ) ),- esc_html__( 'comments', 'all-in-one-video-gallery' )+ echo '<div class="aiovg-category aiovg-flex aiovg-flex-wrap aiovg-gap-1 aiovg-items-center aiovg-text-small">';+ echo '<svg xmlns="http://www.w3.org/2000/svg" fill="none" width="16" height="16" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="aiovg-flex-shrink-0">+ <path stroke-linecap="round" stroke-linejoin="round" d="M3.75 9.776c.112-.017.227-.026.344-.026h15.812c.117 0 .232.009.344.026m-16.5 0a2.25 2.25 0 0 0-1.883 2.542l.857 6a2.25 2.25 0 0 0 2.227 1.932H19.05a2.25 2.25 0 0 0 2.227-1.932l.857-6a2.25 2.25 0 0 0-1.883-2.542m-16.5 0V6A2.25 2.25 0 0 1 6 3.75h3.879a1.5 1.5 0 0 1 1.06.44l2.122 2.12a1.5 1.5 0 0 0 1.06.44H18A2.25 2.25 0 0 1 20.25 9v.776" />+ </svg>';+ echo '<div class="aiovg-item-category">' . implode( '<span class="aiovg-separator">,</span></div><div class="aiovg-item-category">', $meta ) . '</div>';+ echo '</div>';+ }+ }+ ?>++ <?php+ // Tags+ if ( $attributes['show_tag'] ) {+ $tags = wp_get_object_terms( get_the_ID(), 'aiovg_tags', array(+ 'orderby' => sanitize_text_field( $attributes['categories_orderby'] ),+ 'order' => sanitize_text_field( $attributes['categories_order'] )+ ));++ if ( ! empty( $tags ) ) {+ $meta = array();++ foreach ( $tags as $tag ) {+ $tag_url = aiovg_get_tag_page_url( $tag );++ $meta[] = sprintf( + '<a href="%s" class="aiovg-link-tag">%s</a>', + esc_url( $tag_url ), + esc_html( $tag->name ) ); } - // ...- if ( count( $meta ) ) {- echo '<div class="aiovg-meta aiovg-flex aiovg-flex-wrap aiovg-gap-1 aiovg-items-center aiovg-text-small">';- - $last_index = count( $meta ) - 1;- $i = 0;-- foreach ( $meta as $meta_class => $meta_content ) {- echo '<div class="aiovg-' . esc_attr( $meta_class ) . ' aiovg-flex aiovg-gap-1 aiovg-items-center">';- echo $meta_content;-- if ( $i < $last_index ) {- echo '<span class="aiovg-text-separator">•</span>';- }- - echo '</div>';- $i++;- }-- echo '</div>';- }- ?> - - <?php- // Categories- if ( $attributes['show_category'] ) {- $categories = wp_get_object_terms( get_the_ID(), 'aiovg_categories', array(- 'orderby' => sanitize_text_field( $attributes['categories_orderby'] ),- 'order' => sanitize_text_field( $attributes['categories_order'] )- ));- - if ( ! empty( $categories ) ) {- $meta = array();- - foreach ( $categories as $category ) {- $category_url = aiovg_get_category_page_url( $category );-- $meta[] = sprintf( - '<a href="%s" class="aiovg-link-category">%s</a>', - esc_url( $category_url ), - esc_html( $category->name ) - );- }-- echo '<div class="aiovg-category aiovg-flex aiovg-flex-wrap aiovg-gap-1 aiovg-items-center aiovg-text-small">';- echo '<svg xmlns="http://www.w3.org/2000/svg" fill="none" width="16" height="16" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="aiovg-flex-shrink-0">- <path stroke-linecap="round" stroke-linejoin="round" d="M3.75 9.776c.112-.017.227-.026.344-.026h15.812c.117 0 .232.009.344.026m-16.5 0a2.25 2.25 0 0 0-1.883 2.542l.857 6a2.25 2.25 0 0 0 2.227 1.932H19.05a2.25 2.25 0 0 0 2.227-1.932l.857-6a2.25 2.25 0 0 0-1.883-2.542m-16.5 0V6A2.25 2.25 0 0 1 6 3.75h3.879a1.5 1.5 0 0 1 1.06.44l2.122 2.12a1.5 1.5 0 0 0 1.06.44H18A2.25 2.25 0 0 1 20.25 9v.776" />- </svg>';- echo '<div class="aiovg-item-category">' . implode( '<span class="aiovg-separator">,</span></div><div class="aiovg-item-category">', $meta ) . '</div>';- echo '</div>';- }- }- ?>+ echo '<div class="aiovg-tag aiovg-flex aiovg-flex-wrap aiovg-gap-1 aiovg-items-center aiovg-text-small">';+ echo '<svg xmlns="http://www.w3.org/2000/svg" fill="none" width="16" height="16" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="aiovg-flex-shrink-0">+ <path stroke-linecap="round" stroke-linejoin="round" d="M9.568 3H5.25A2.25 2.25 0 0 0 3 5.25v4.318c0 .597.237 1.17.659 1.591l9.581 9.581c.699.699 1.78.872 2.607.33a18.095 18.095 0 0 0 5.223-5.223c.542-.827.369-1.908-.33-2.607L11.16 3.66A2.25 2.25 0 0 0 9.568 3Z" />+ <path stroke-linecap="round" stroke-linejoin="round" d="M6 6h.008v.008H6V6Z" />+ </svg>';+ echo '<div class="aiovg-item-tag">' . implode( '<span class="aiovg-separator">,</span></div><div class="aiovg-item-tag">', $meta ) . '</div>';+ echo '</div>';+ }+ }+ ?> - <?php- // Tags- if ( $attributes['show_tag'] ) {- $tags = wp_get_object_terms( get_the_ID(), 'aiovg_tags', array(- 'orderby' => sanitize_text_field( $attributes['categories_orderby'] ),- 'order' => sanitize_text_field( $attributes['categories_order'] )- ));-- if ( ! empty( $tags ) ) {- $meta = array();-- foreach ( $tags as $tag ) {- $tag_url = aiovg_get_tag_page_url( $tag );-- $meta[] = sprintf( - '<a href="%s" class="aiovg-link-tag">%s</a>', - esc_url( $tag_url ), - esc_html( $tag->name ) - );- }-- echo '<div class="aiovg-tag aiovg-flex aiovg-flex-wrap aiovg-gap-1 aiovg-items-center aiovg-text-small">';- echo '<svg xmlns="http://www.w3.org/2000/svg" fill="none" width="16" height="16" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="aiovg-flex-shrink-0">- <path stroke-linecap="round" stroke-linejoin="round" d="M9.568 3H5.25A2.25 2.25 0 0 0 3 5.25v4.318c0 .597.237 1.17.659 1.591l9.581 9.581c.699.699 1.78.872 2.607.33a18.095 18.095 0 0 0 5.223-5.223c.542-.827.369-1.908-.33-2.607L11.16 3.66A2.25 2.25 0 0 0 9.568 3Z" />- <path stroke-linecap="round" stroke-linejoin="round" d="M6 6h.008v.008H6V6Z" />- </svg>';- echo '<div class="aiovg-item-tag">' . implode( '<span class="aiovg-separator">,</span></div><div class="aiovg-item-tag">', $meta ) . '</div>';- echo '</div>';- }- }- ?> + <?php if ( $attributes['show_excerpt'] ) : ?>+ <div class="aiovg-excerpt aiovg-hide-if-empty"><?php the_aiovg_excerpt( $attributes['excerpt_length'] ); ?></div>+ <?php endif; ?> - <?php if ( $attributes['show_excerpt'] ) : ?>- <div class="aiovg-excerpt aiovg-hide-if-empty"><?php the_aiovg_excerpt( $attributes['excerpt_length'] ); ?></div>- <?php endif; ?>-- <?php the_aiovg_content_after_thumbnail( $attributes ); // After Thumbnail ?>- </div> - </div> + <?php the_aiovg_content_after_thumbnail( $attributes ); // After Thumbnail ?> </div> </div>\ No newline at end of file
Vulnerability Existed: no
XSS - CWE-79 - public/templates/video-thumbnail-image-left.php (all lines)
Old Code:
```php
echo sprintf(
'<a href="%s" class="aiovg-responsive-container" style="padding-bottom: %s;">',
esc_url( get_permalink() ),
esc_attr( $attributes['ratio'] )
);
```
Fixed Code:
```php
echo sprintf(
'<a href="%s" class="aiovg-responsive-container" style="padding-bottom: %s;">',
esc_url( get_permalink() ),
esc_attr( $attributes['ratio'] )
);
```
Explanation:
No vulnerability exists. Both the old and new code properly escape user-controlled data using `esc_url()` for URLs and `esc_attr()` for HTML attributes. The diff shows a layout restructuring (removing the two-column grid layout with `.aiovg-row`, `.aiovg-col-p-40`, `.aiovg-col-p-60`) but maintains the same security practices throughout. All variable outputs continue to use appropriate escaping functions: `esc_url()`, `esc_attr()`, `esc_html()`, and `wp_kses_post()`. The refactoring does not introduce or fix any security vulnerabilities.
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
--- cache/all-in-one-video-gallery_4.5.7/public/video.php 2026-01-16 00:19:59.831618692 +0000+++ cache/all-in-one-video-gallery_4.6.4/public/video.php 2026-01-16 00:20:23.945133072 +0000@@ -74,20 +74,6 @@ } /** - * Add support for HLS & MPEG-DASH. - * - * @since 3.0.0 - * @param array $mimes Array of allowed mime types. - * @return array Filtered mime types array. - */ - public function add_mime_types( $mimes ) { - $mimes['m3u8'] = 'application/x-mpegurl'; - $mimes['mpd'] = 'application/dash+xml'; - - return $mimes; - } - - /** * Run the shortcode [aiovg_video]. * * @since 1.0.0
```
Vulnerability Existed: no
Unrestricted File Type Upload - CWE-434 - public/video.php Lines 83-87
[Old Code]
public function add_mime_types( $mimes ) {
$mimes['m3u8'] = 'application/x-mpegurl';
$mimes['mpd'] = 'application/dash+xml';
return $mimes;
}
[Fixed Code]
[Function removed entirely]
Explanation:
The removal of the `add_mime_types()` function eliminates a potential security risk. This function was registering additional MIME types (HLS .m3u8 and MPEG-DASH .mpd files) without proper validation or access controls. While the function itself doesn't directly validate uploads, registering these MIME types could allow unauthorized file uploads if combined with weak upload validation elsewhere in the plugin. By removing this permissive MIME type registration, the plugin reduces the attack surface for file upload vulnerabilities (CWE-434). The fix is conservative and prevents potential exploitation of these file types in upload scenarios.
```
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.