1. Vulnerability Background
What is this vulnerability?
- The All-in-One Video Gallery WordPress plugin allows authenticated users to upload subtitle/media files.
- In versions up to and including 4.5.7, the plugin did not enforce sufficient server-side file validation for uploaded VTT-related content.
- This weakness made it possible for authenticated attackers with author-level access or higher to upload arbitrary files, including payloads that may be executed or used to persist malicious code.
Why is it critical/important?
- Arbitrary file upload on a web server is a high-risk issue because it can lead directly to remote code execution, depending on file placement and server configuration.
- The vulnerability is particularly dangerous because it is exploitable by a relatively low-privileged authenticated user role (author), which is common in multi-author WordPress installations.
- Once arbitrary files can be written to the server, attackers can deploy web shells, modify site content, and escalate compromise beyond the plugin.
What systems/versions are affected?
- Affected component: All-in-One Video Gallery WordPress plugin.
- Affected versions: all versions up to and including 4.5.7.
- Impacted environments: WordPress sites running the plugin where authors or higher can access the upload/import functionality.
2. Technical Details
Root cause analysis
- The plugin relied on insufficient file type validation for uploaded subtitle files, especially VTT files.
- The validation logic could be bypassed by crafting files with double extensions, allowing malicious payloads to appear as valid VTT files.
- In
admin/import-export.php, the ZIP extraction routine did not sufficiently validate extracted file contents before returning the extraction result and leaving files on disk. - The root issue is a combination of weak extension/MIME enforcement and inadequate sanitization of imported archive contents.
Attack vector and exploitation conditions
- The attacker must be authenticated with at least author-level permissions on the WordPress site.
- The attacker uses the plugin’s upload or import interface to submit a crafted file.
- The exploit leverages double-extension naming or archive extraction behavior to bypass sanitization.
- Once accepted, the file is written to the server under the plugin’s upload/import directory.
- If the server processes the uploaded file as executable code, or if the attacker can otherwise use it, remote code execution becomes possible.
Security implications
- Arbitrary file upload gives an attacker the ability to place arbitrary content on disk.
- This can lead to remote code execution, file disclosure, or site takeover depending on server configuration.
- The attack bypasses role-based protections by exploiting a plugin-specific upload path available to non-administrative users.
- It increases the risk of persistent compromise, backdoor installation, and lateral movement within the application.
3. Patch Analysis
What code changes were made?
- The patch modifies the extraction workflow in
admin/import-export.php. - After calling
unzip_file( $zip_file_path, $extract_path ), the fixed code iterates over all extracted files using:RecursiveDirectoryIteratorwithSKIP_DOTSRecursiveIteratorIteratorinCHILD_FIRSTmode
- For each extracted file, it calls
wp_check_filetype( $file->getFilename() ). - If the file type lookup returns an empty
type, the file is deleted with@unlink( $file->getPathname() ). - The patch also ensures cleanup of temporary protection files:
@unlink( $htaccess_file )@unlink( $webconfig_file )- cleanup occurs both on failure and success paths.
How do these changes fix the vulnerability?
- The fix adds a second layer of validation after archive extraction, ensuring that extracted files are subject to WordPress file-type checks.
- Files that do not resolve to a recognized MIME/type mapping are removed before the extraction result is returned.
- This reduces the chance that a malicious or unexpected file remains on disk after import.
- Cleanup of protection files reduces the risk of temporary artifacts being left behind.
Security improvements introduced
- post-extraction file validation reduces arbitrary file persistence from imported archives.
- cleanup logic hardens the import process by removing temporary protection files regardless of outcome.
- although not shown fully in the provided diff, related remediation steps in the plugin also add capability checks to AJAX handlers, restricting sensitive operations to users with proper permissions.
4. Proof of Concept (PoC) Guide
Prerequisites for exploitation
- A WordPress installation with All-in-One Video Gallery plugin version 4.5.7 or older.
- An account with author-level access or higher.
- Access to the plugin’s upload/import interface.
Step-by-step exploitation approach
- Log in as an author or another permitted role.
- Navigate to the All-in-One Video Gallery import or subtitle upload page.
- Prepare a crafted payload:
- example filename:
shell.php.vtt - payload body:
<?php system($_GET['cmd']); ?>
- example filename:
- Upload the crafted file through the plugin interface or include it inside a ZIP archive and import the archive.
- Confirm upload completion and determine the stored filename/location.
- Access the uploaded file directly via a browser or HTTP request to verify it exists on the server.
Expected behavior vs exploited behavior
- Expected behavior: the plugin should accept only legitimate media/subtitle files and reject arbitrary or malformed uploads.
- Exploited behavior: the plugin accepts the crafted file, stores it on disk, and leaves an arbitrary payload on the server.
How to verify the vulnerability exists
- Check whether the plugin accepts
.vttuploads with a double extension or ZIP archives containing unexpected file types. - Inspect the upload/import directory for files such as
*.php.vtt,*.php, or other non-media files. - If possible, use a web request to access the uploaded payload and confirm the file is served from the site.
- Use server-side logs or file system monitoring to verify a non-whitelisted file was created.
5. Recommendations
Mitigation strategies
- Upgrade the All-in-One Video Gallery plugin to a patched version newer than 4.5.7.
- If patching is not immediately possible, remove or disable the vulnerable plugin.
- Restrict author-level and contributor-level accounts, and audit users with upload/import privileges.
- Implement a Web Application Firewall or upload filtering to block suspicious double-extension uploads and archive-based payloads.
Detection methods
- Monitor plugin upload directories for unexpected file types and double-extension filenames.
- Scan for files matching patterns such as
*.php.vtt,*.phtml,*.php, and other executable extensions under plugin-managed directories. - Review WordPress logs for import/upload actions associated with All-in-One Video Gallery.
- Deploy file integrity monitoring on
wp-content/uploads/and plugin directories.
Best practices to prevent similar issues
- Enforce strict server-side validation of uploaded files, not just client-side checks.
- Use a whitelist of allowed file extensions and MIME types, and validate against both filename and file content where possible.
- Reject files with double extensions or suspicious filename constructs.
- Ensure sensitive AJAX endpoints verify user capabilities in addition to nonces.
- Clean up temporary files and artifacts immediately after processing uploads.
- Apply least privilege for plugin functionality and restrict upload access to trusted roles only.