Vulnerabilities ›

CVE-2025-12957

High

CWE-434 — Weakness Type

                    Published: Jan 16, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

8.8

🔗 NVD Official

📄 Description (English)

The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

🤖 AI Executive Summary

The All-in-One Video Gallery WordPress plugin (versions ≤4.5.7) contains a critical arbitrary file upload vulnerability allowing authenticated users with author-level privileges to bypass file type validation through double extension techniques. Attackers can upload malicious files (e.g., .php.vtt) that execute as code on the server, potentially leading to complete site compromise and lateral movement within organizational networks. This vulnerability poses significant risk to Saudi organizations using WordPress for content management, particularly those with multiple content contributors.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 22, 2026 04:02

🇸🇦 Saudi Arabia Impact Assessment

High impact for Saudi media companies, news organizations, educational institutions, and government agencies using WordPress. Banking sector websites using WordPress for customer portals face elevated risk. Telecommunications companies (STC, Mobily) with WordPress-based content platforms are vulnerable. Healthcare organizations using WordPress for patient education materials could face HIPAA-equivalent compliance violations under SAMA regulations. Government entities under NCA oversight could face critical infrastructure compromise if WordPress sites are internet-facing. The vulnerability is particularly dangerous in organizations with multiple content creators (journalists, educators, administrators) who may unknowingly upload compromised files.

🏢 Affected Saudi Sectors

Media & Publishing Government & Public Sector Education Banking & Financial Services Healthcare Telecommunications E-commerce Non-profit Organizations

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application T1199 - Trusted Relationship (WordPress plugin trust) T1434 - Internal Spearphishing (if compromised site used for lateral attacks) T1505.003 - Server Software Component (WordPress plugin compromise) T1547.014 - Modify Authentication Process (potential privilege escalation post-upload) T1059.004 - Unix Shell (PHP code execution) T1070.004 - File Deletion (covering tracks after upload)

⚖️ Saudi Risk Score (AI)

8.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Update All-in-One Video Gallery plugin to version 4.5.8 or later immediately

2. Audit all uploaded files in the past 90 days, particularly those with double extensions (.php.vtt, .exe.vtt, .jsp.vtt, etc.)

3. Review web server access logs for suspicious file uploads and execution patterns

4. Restrict author-level permissions to trusted users only; implement principle of least privilege

5. Disable file uploads temporarily if patch cannot be applied immediately



PATCHING GUIDANCE:

- Deploy patch via WordPress admin dashboard or manually update plugin files

- Test in staging environment before production deployment

- Verify file upload validation is functioning correctly post-patch



COMPENSATING CONTROLS (if immediate patching impossible):

- Implement Web Application Firewall (WAF) rules blocking .php.vtt, .exe.vtt, .jsp.vtt uploads

- Configure web server to prevent execution of scripts in upload directories (disable PHP execution in /wp-content/uploads/)

- Implement file type validation at web server level using MIME type checking

- Monitor upload directory for suspicious files using SIEM/file integrity monitoring



DETECTION RULES:

- Alert on file uploads with double extensions matching executable patterns

- Monitor for POST requests to /wp-admin/upload.php with suspicious file parameters

- Track failed file type validations in WordPress debug logs

- Flag any .vtt files larger than 5MB or containing binary content

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديث مكون All-in-One Video Gallery إلى الإصدار 4.5.8 أو أحدث فوراً

2. تدقيق جميع الملفات المرفوعة في آخر 90 يوماً، خاصة تلك التي تحتوي على امتدادات مزدوجة

3. مراجعة سجلات الوصول إلى خادم الويب للأنماط المريبة في التحميل والتنفيذ

4. تقييد صلاحيات مستوى المؤلف للمستخدمين الموثوقين فقط

5. تعطيل تحميل الملفات مؤقتاً إذا تعذر تطبيق التصحيح فوراً



إرشادات التصحيح:

- نشر التصحيح عبر لوحة تحكم WordPress أو تحديث ملفات المكون يدوياً

- الاختبار في بيئة التطوير قبل النشر في الإنتاج

- التحقق من أن التحقق من تحميل الملفات يعمل بشكل صحيح بعد التصحيح



الضوابط البديلة:

- تطبيق قواعد جدار الحماية لحجب تحميلات الملفات ذات الامتدادات المزدوجة

- تكوين خادم الويب لمنع تنفيذ البرامج النصية في مجلدات التحميل

- تطبيق التحقق من نوع الملف على مستوى خادم الويب

- مراقبة مجلد التحميل للملفات المريبة باستخدام أدوات المراقبة



قواعد الكشف:

- تنبيهات عند تحميل ملفات بامتدادات مزدوجة

- مراقبة طلبات POST المريبة إلى صفحات التحميل

- تتبع فشل التحقق من نوع الملف في سجلات WordPress

- وضع علامة على ملفات .vtt الكبيرة أو التي تحتوي على محتوى ثنائي

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.14.2.1 - Information security requirements for supplier relationships (WordPress plugin supply chain) ECC 2024 A.12.2.1 - Change management procedures (patch deployment) ECC 2024 A.12.4.1 - Event logging and monitoring (file upload detection) ECC 2024 A.5.1.1 - Policies for information security (access control to upload functions)

🔵 SAMA CSF

Governance & Risk Management - Vulnerability management and patch deployment Information & Cybersecurity - File integrity monitoring and malware detection Operational Resilience - Incident response for unauthorized file uploads Third-party Risk Management - WordPress plugin security assessment

🟡 ISO 27001:2022

ISO 27001:2022 A.5.1 - Policies for information security ISO 27001:2022 A.6.1 - Organization of information security ISO 27001:2022 A.8.1 - User endpoint devices ISO 27001:2022 A.12.2 - Change management ISO 27001:2022 A.12.4 - Event logging ISO 27001:2022 A.14.2 - Supplier relationships

🟣 PCI DSS v4.0.1

PCI DSS 6.2 - Security patches for all system components PCI DSS 6.5.8 - Improper access control (file upload restrictions) PCI DSS 10.2 - Logging and monitoring of access to cardholder data PCI DSS 12.3 - Security policy for third-party service providers

🔗 References & Sources 2

🔗

https://plugins.trac.wordpress.org/changeset/3405593/all-in-one-video-gallery

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/ad2e1d91-03bd-4e47-b679-81c42...

security@wordfence.com

📊 CVSS Score

8.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score8.8

CWECWE-434

EPSS0.05%

Exploit No

Patch ✓ Yes

Published 2026-01-16

Source Feed nvd

🇸🇦 Saudi Risk Score

8.2

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

CWE-434

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2025-12957

💬 Comments

Introduce Yourself

Sign In Required