REPORT / 01
Analysis Report · Folder Analysis cache/all-in-one-video-gallery_4.6.4 → cache/all-in-one-video-gallery_4.7.1 — CVE-2025-15516
Shared security patch analysis results
02 ·
Lifecycle actions
cancel · resume · skip · regenerate
03 ·
Share this analysis
copy link · embed report
03 ·
CVE Security Analysis & Writeups
ai-generated · per cve
Comprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.
CVE-2025-15516
NVD
AI-Generated Analysis
05 ·
Findings
filter · search · paginate
Showing 0 to 0 of 0 results
admin/admin.php
AI: 2 vulnerabilities
2 true positives
CVE-2025-15516
--- cache/all-in-one-video-gallery_4.6.4/admin/admin.php 2026-01-16 00:20:23.445101681 +0000+++ cache/all-in-one-video-gallery_4.7.1/admin/admin.php 2026-01-24 00:20:18.298082951 +0000@@ -753,6 +753,13 @@ public function enqueue_scripts( $hook ) { global $post_type; + $post_id = 0; + + $screen = get_current_screen(); + if ( $screen && 'aiovg_videos' === $screen->post_type && ! empty( $_GET['post'] ) ) { + $post_id = absint( $_GET['post'] ); + } + if ( ( isset( $_GET['page'] ) && in_array( $_GET['page'], array( 'all-in-one-video-gallery', 'aiovg_settings', 'aiovg_import_export' ) ) ) || ( in_array( $hook, array( 'post-new.php', 'post.php' ) ) && 'aiovg_videos' === $post_type ) || @@ -816,8 +823,9 @@ AIOVG_PLUGIN_SLUG . '-admin', 'aiovg_admin', array( - 'ajax_nonce' => wp_create_nonce( 'aiovg_ajax_nonce' ), 'site_url' => get_site_url(), + 'post_id' => $post_id, + 'ajax_nonce' => wp_create_nonce( 'aiovg_ajax_nonce' ), 'i18n' => array( 'copied' => __( 'Copied!', 'all-in-one-video-gallery' ), 'no_issues_selected' => __( 'Please select at least one issue.', 'all-in-one-video-gallery' ), @@ -1063,14 +1071,28 @@ check_ajax_referer( 'aiovg_ajax_nonce', 'security' ); $user_id = get_current_user_id(); - $key = isset( $_POST['key'] ) ? sanitize_text_field( $_POST['key'] ) : ''; - $value = isset( $_POST['value'] ) ? sanitize_text_field( $_POST['value'] ) : ''; + if ( ! $user_id ) { + wp_die(); + } + + if ( ! current_user_can( 'manage_aiovg_options' ) ) { + wp_die(); + } + + $key = isset( $_POST['key'] ) ? sanitize_key( $_POST['key'] ) : ''; + $allowed_keys = array( 'aiovg_video_form_tour', 'aiovg_automation_form_tour' ); + + if ( ! in_array( $key, $allowed_keys ) ) { + wp_die(); + } - if ( ! empty( $user_id ) && ! empty( $key ) ) { - update_user_meta( $user_id, $key, $value ); + $value = isset( $_POST['value'] ) ? trim( $_POST['value'] ) : 0; + if ( 'completed' !== $value ) { + $value = (int) $value; } - wp_die(); + update_user_meta( $user_id, $key, $value ); + wp_die(); } }
AI Analysis
---
## Security Analysis Report
**Vulnerability #1: Arbitrary User Metadata Update - Authorization Bypass**
Vulnerability Existed: yes
TRUE POSITIVE
CWE-863 Incorrect Authorization - CWE-863 - admin/admin.php lines 1066-1071
**Old Code:**
```php
$key = isset( $_POST['key'] ) ? sanitize_text_field( $_POST['key'] ) : '';
$value = isset( $_POST['value'] ) ? sanitize_text_field( $_POST['value'] ) : '';
if ( ! empty( $user_id ) && ! empty( $key ) ) {
update_user_meta( $user_id, $key, $value );
}
```
**Fixed Code:**
```php
if ( ! $user_id ) {
wp_die();
}
if ( ! current_user_can( 'manage_aiovg_options' ) ) {
wp_die();
}
$key = isset( $_POST['key'] ) ? sanitize_key( $_POST['key'] ) : '';
$allowed_keys = array( 'aiovg_video_form_tour', 'aiovg_automation_form_tour' );
if ( ! in_array( $key, $allowed_keys ) ) {
wp_die();
}
$value = isset( $_POST['value'] ) ? trim( $_POST['value'] ) : 0;
if ( 'completed' !== $value ) {
$value = (int) $value;
}
update_user_meta( $user_id, $key, $value );
```
**Explanation:**
The old code allowed any user with any capability level to update arbitrary user metadata through the AJAX handler. The vulnerabilities fixed include:
1. **Missing Authorization Check**: The old code only checked if `$user_id` was non-empty, but didn't verify the user had permission (`manage_aiovg_options` capability).
2. **Arbitrary Key Injection**: The old code accepted any POST key without validation. An attacker could update any user metadata key. Fixed by implementing a whitelist of allowed keys (`aiovg_video_form_tour`, `aiovg_automation_form_tour`).
3. **Type Confusion/Injection**: The old code used `sanitize_text_field()` on the value without type validation, allowing arbitrary data. Fixed by restricting values to specific types: either 'completed' string or integer values.
4. **Weak Sanitization for Keys**: Changed from `sanitize_text_field()` to `sanitize_key()`, which is the appropriate function for sanitizing metadata keys.
---
**Vulnerability #2: Missing Authentication Verification**
Vulnerability Existed: yes
TRUE POSITIVE
CWE-287 Improper Authentication - CWE-287 - admin/admin.php lines 1069-1073
**Old Code:**
```php
if ( ! empty( $user_id ) && ! empty( $key ) ) {
update_user_meta( $user_id, $key, $value );
}
wp_die();
```
**Fixed Code:**
```php
if ( ! $user_id ) {
wp_die();
}
if ( ! current_user_can( 'manage_aiovg_options' ) ) {
wp_die();
}
```
**Explanation:**
The old code relied on a weak check (`! empty( $user_id )`), which would pass even for users with user ID 0 theoretically (though unlikely). More critically, it allowed any authenticated user to execute the metadata update without verifying they had the required capability. The fix adds explicit authentication and authorization verification, terminating execution immediately if the user lacks the `manage_aiovg_options` capability, which is a proper WordPress permission check.
CVE Analysis Results:
CVE-2025-15516: Yes
View CVE Description
The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_callback_store_user_meta() function in versions 4.1.0 to 4.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary string-based user meta keys for their own account.
Showing 1 to 1 of 1 results