Primary

Context

All-in-One Video Gallery Missing Authorization Vulnerability Allows Unauthorized User Meta Modification

Vulnerability

Patched

A vulnerability exists in the All-in-One Video Gallery plugin for WordPress, specifically in versions 4.1.0 to 4.6.4. The issue arises from a lack of proper capability checks in the 'ajax_callback_store_user_meta()' function, which allows authenticated users with Subscriber-level access and above to arbitrarily modify string-based user meta keys for their own accounts. This unauthorized data manipulation could lead to various issues, depending on the meta keys altered.

Impact

Exploitation of this vulnerability could result in unauthorized changes to user meta data, potentially allowing attackers to manipulate information that could affect their privileges or the functionality of the site.

Remediation

Users are advised to update the All-in-One Video Gallery plugin to version 4.7.1 or a newer patched version.

Added: Jan 24, 2026, 9:30 AM

Updated: Jan 24, 2026, 9:30 AM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

6.1

remediation

7.7

relevance

2.4

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

6.1

remediation

7.7

relevance

2.4

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

All-in-One Video Gallery Missing Authorization Vulnerability Allows Unauthorized User Meta Modification

Vulnerability

Impact

Remediation

Affected Products

All-in-One Video Gallery

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating