Description

WordPress Plugin All-in-One Video Gallery is prone to multiple vulnerabilities, including arbitrary file download and server-side request forgery vulnerabilities. Exploiting these issues may allow an attacker to gain access to sensitive information, which may aid in launching further attacks, or to make the vulnerable server perform port scanning of hosts in internal or external networks; other attacks are also possible. WordPress Plugin All-in-One Video Gallery versions 2.5.8 - 2.6.0 are vulnerable.

Remediation

Update to plugin version 2.6.1 or latest

References

https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2633

https://plugins.svn.wordpress.org/all-in-one-video-gallery/trunk/README.txt

Related Vulnerabilities

WordPress Plugin Blogomatic Cross-Site Scripting (1.0)

WordPress Plugin WPCafe-Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce Cross-Site Scripting (2.1.4)

Oracle Database Server Other Vulnerability (CVE-2007-3855)

Question2Answer Improper Input Validation Vulnerability (CVE-2017-12775)

Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-4284)

Severity

High

Classification

CVE-2022-2633 CWE-538 CWE-918 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update