CVE-2025-12957 is a critical vulnerability categorized under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting the All-in-One Video Gallery plugin for WordPress, versions up to and including 4.5.7. The core issue stems from insufficient validation of uploaded file types, specifically VTT (Web Video Text Tracks) files. The plugin’s sanitization mechanism fails to properly detect and block files with double extensions (e.g., malicious.php.vtt), allowing attackers to upload arbitrary files disguised as valid VTT files. This flaw can be exploited by authenticated users with author-level privileges or higher, enabling them to place malicious files on the server. Such files could be leveraged to execute remote code, leading to full compromise of the web server hosting the WordPress site. The vulnerability does not require user interaction beyond authentication, and the attack vector is network-based with low complexity. The CVSS v3.1 score of 8.8 reflects high confidentiality, integrity, and availability impacts, with low attack complexity and privileges required. Although no known exploits have been reported in the wild, the potential for remote code execution makes this a significant threat. The vulnerability was publicly disclosed on January 16, 2026, and no official patches have been linked yet, indicating the need for immediate mitigation steps by site administrators.

The vulnerability allows attackers with author-level access to upload arbitrary files, which can lead to remote code execution on the web server. This can result in complete compromise of the affected WordPress site, including unauthorized access to sensitive data, defacement, data loss, or use of the server as a pivot point for further attacks within the network. The integrity of the website content and availability of services can be severely impacted, potentially causing reputational damage and operational disruption. Since WordPress powers a significant portion of the web, and plugins like All-in-One Video Gallery are widely used, the scope of affected systems is substantial. Attackers exploiting this vulnerability can bypass typical file upload restrictions, making it easier to deploy web shells or malware. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially in environments with multiple authors or compromised credentials. Organizations relying on this plugin face elevated risk of targeted attacks and should consider this vulnerability a high priority for remediation.

1. Immediately restrict author-level users from uploading files until a patch is available. 2. Implement strict file upload validation on the server side, including checking MIME types, file extensions, and scanning for double extensions. 3. Use web application firewalls (WAFs) with custom rules to detect and block suspicious file uploads, especially those containing double extensions or unusual file types. 4. Monitor file upload directories for unexpected file types and newly added files, using automated alerting systems. 5. Limit the number of users with author-level or higher privileges and enforce strong authentication mechanisms, including multi-factor authentication (MFA). 6. Regularly update WordPress core, plugins, and themes to the latest versions once patches for this vulnerability are released. 7. Conduct periodic security audits and penetration testing focused on file upload functionalities. 8. Consider isolating the upload directory with restrictive permissions and disabling execution of uploaded files where possible. 9. Backup website data regularly to enable quick recovery in case of compromise. 10. Stay informed through official plugin channels and security advisories for patch releases and updates.