CVE-2024-4670: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in plugins360 All-in-One Video Gallery
CVE-2024-4670 is a high-severity Local File Inclusion (LFI) vulnerability in the All-in-One Video Gallery WordPress plugin (versions up to 3. 6. 5). It allows authenticated users with contributor-level access or higher to include and execute arbitrary files on the server via the aiovg_search_form shortcode. This can lead to remote code execution by uploading files with PHP code disguised as safe file types. The vulnerability enables attackers to bypass access controls, access sensitive data, and execute arbitrary PHP code without user interaction. No known exploits are currently reported in the wild, but the ease of exploitation and impact are significant. Organizations using this plugin should prioritize patching or mitigation to prevent potential compromise.
AI Analysis
Technical Summary
CVE-2024-4670 is a Local File Inclusion vulnerability classified under CWE-98, affecting the All-in-One Video Gallery plugin for WordPress in all versions up to and including 3.6.5. The vulnerability arises from improper control of filenames used in include or require statements within the plugin's aiovg_search_form shortcode functionality. Authenticated attackers with contributor-level permissions or higher can exploit this flaw to include arbitrary files from the server. This can be leveraged to execute arbitrary PHP code if attackers upload files containing malicious code, even if these files are disguised as images or other typically safe file types. The vulnerability allows bypassing of access controls, unauthorized data access, and full code execution on the server hosting the WordPress site. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and requiring only low privileges and no user interaction. Although no public exploits have been reported yet, the vulnerability poses a significant risk to websites using this plugin, especially those allowing contributor-level user registrations. The lack of available patches at the time of reporting increases the urgency for mitigation.
Potential Impact
The exploitation of CVE-2024-4670 can have severe consequences for affected organizations. Attackers can achieve remote code execution on the web server, potentially leading to full site compromise, data theft, defacement, or pivoting to internal networks. Confidential information stored on the server or accessible via the compromised WordPress site can be exposed. Integrity of website content and backend systems can be undermined, and availability may be disrupted through malicious actions such as deploying ransomware or deleting critical files. Since contributor-level access is sufficient to exploit the vulnerability, organizations with open or weak user registration policies are at higher risk. The vulnerability also undermines trust in the affected websites and can lead to reputational damage and regulatory consequences if sensitive data is leaked.
Mitigation Recommendations
Organizations should immediately review user roles and restrict contributor-level access to trusted users only. Disable or remove the All-in-One Video Gallery plugin if it is not essential. Monitor for unusual file uploads or modifications, especially files with PHP code disguised as images or other media types. Implement web application firewall (WAF) rules to detect and block attempts to exploit the aiovg_search_form shortcode or suspicious include/require requests. If possible, apply virtual patching by restricting file inclusion paths or disabling dynamic file inclusion features in the plugin code. Regularly audit plugin versions and update to a patched version once released by the vendor. Conduct thorough security assessments of WordPress installations and enforce the principle of least privilege for all user accounts. Backup website data frequently and maintain incident response plans to quickly respond to potential compromises.
Affected Countries
United States, Germany, United Kingdom, Canada, Australia, France, Netherlands, India, Brazil, Japan
CVE-2024-4670: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in plugins360 All-in-One Video Gallery
Description
CVE-2024-4670 is a high-severity Local File Inclusion (LFI) vulnerability in the All-in-One Video Gallery WordPress plugin (versions up to 3. 6. 5). It allows authenticated users with contributor-level access or higher to include and execute arbitrary files on the server via the aiovg_search_form shortcode. This can lead to remote code execution by uploading files with PHP code disguised as safe file types. The vulnerability enables attackers to bypass access controls, access sensitive data, and execute arbitrary PHP code without user interaction. No known exploits are currently reported in the wild, but the ease of exploitation and impact are significant. Organizations using this plugin should prioritize patching or mitigation to prevent potential compromise.
AI-Powered Analysis
Technical Analysis
CVE-2024-4670 is a Local File Inclusion vulnerability classified under CWE-98, affecting the All-in-One Video Gallery plugin for WordPress in all versions up to and including 3.6.5. The vulnerability arises from improper control of filenames used in include or require statements within the plugin's aiovg_search_form shortcode functionality. Authenticated attackers with contributor-level permissions or higher can exploit this flaw to include arbitrary files from the server. This can be leveraged to execute arbitrary PHP code if attackers upload files containing malicious code, even if these files are disguised as images or other typically safe file types. The vulnerability allows bypassing of access controls, unauthorized data access, and full code execution on the server hosting the WordPress site. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and requiring only low privileges and no user interaction. Although no public exploits have been reported yet, the vulnerability poses a significant risk to websites using this plugin, especially those allowing contributor-level user registrations. The lack of available patches at the time of reporting increases the urgency for mitigation.
Potential Impact
The exploitation of CVE-2024-4670 can have severe consequences for affected organizations. Attackers can achieve remote code execution on the web server, potentially leading to full site compromise, data theft, defacement, or pivoting to internal networks. Confidential information stored on the server or accessible via the compromised WordPress site can be exposed. Integrity of website content and backend systems can be undermined, and availability may be disrupted through malicious actions such as deploying ransomware or deleting critical files. Since contributor-level access is sufficient to exploit the vulnerability, organizations with open or weak user registration policies are at higher risk. The vulnerability also undermines trust in the affected websites and can lead to reputational damage and regulatory consequences if sensitive data is leaked.
Mitigation Recommendations
Organizations should immediately review user roles and restrict contributor-level access to trusted users only. Disable or remove the All-in-One Video Gallery plugin if it is not essential. Monitor for unusual file uploads or modifications, especially files with PHP code disguised as images or other media types. Implement web application firewall (WAF) rules to detect and block attempts to exploit the aiovg_search_form shortcode or suspicious include/require requests. If possible, apply virtual patching by restricting file inclusion paths or disabling dynamic file inclusion features in the plugin code. Regularly audit plugin versions and update to a patched version once released by the vendor. Conduct thorough security assessments of WordPress installations and enforce the principle of least privilege for all user accounts. Backup website data frequently and maintain incident response plans to quickly respond to potential compromises.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-05-08T22:14:24.974Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6b94b7ef31ef0b556ddb
Added to database: 2/25/2026, 9:37:24 PM
Last enriched: 2/26/2026, 12:52:22 AM
Last updated: 2/26/2026, 8:08:25 AM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-25191: Uncontrolled Search Path Element in Digital Arts Inc. FinalCode Ver.5 series
HighCVE-2026-23703: Incorrect default permissions in Digital Arts Inc. FinalCode Ver.5 series
HighCVE-2026-1311: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in bearsthemes Worry Proof Backup
HighCVE-2026-2506: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in motahar1 EM Cost Calculator
MediumCVE-2026-2499: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in tgrk Custom Logo
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.