CVE-2025-12966 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting the All-in-One Video Gallery plugin for WordPress, specifically versions 4.5.4 through 4.5.7. The root cause lies in the resolve_import_directory() function, which lacks proper validation of file types during upload operations. Authenticated users with Author-level access or higher can exploit this flaw to upload arbitrary files, including potentially malicious scripts, to the server hosting the WordPress site. Since the plugin does not verify the file type or restrict dangerous file extensions, attackers can upload executable files that may lead to remote code execution (RCE). The vulnerability requires no user interaction beyond authentication, and the attack vector is network-based, making it accessible remotely. The CVSS v3.1 score of 8.8 reflects the high impact on confidentiality, integrity, and availability, with low attack complexity and privileges required. Although no public exploits have been reported yet, the vulnerability presents a significant risk due to the widespread use of WordPress and this plugin in particular. The lack of patch links indicates that a fix may not yet be available, emphasizing the need for immediate mitigation strategies. The vulnerability's exploitation could allow attackers to gain control over the web server, steal sensitive data, deface websites, or use the compromised server as a pivot point for further attacks.

For European organizations, this vulnerability poses a serious threat to the security of WordPress-based websites, especially those using the All-in-One Video Gallery plugin. Successful exploitation can lead to unauthorized access, data breaches, website defacement, and disruption of services. Confidential business information and customer data could be exposed or manipulated, leading to regulatory compliance issues under GDPR. The availability of affected websites could be compromised, impacting business operations and reputation. Given the high adoption of WordPress in Europe for e-commerce, media, and corporate websites, the risk is amplified. Attackers could leverage compromised sites to launch further attacks within the network or distribute malware to visitors. Organizations in sectors such as finance, healthcare, and government are particularly vulnerable due to the sensitivity of their data and the potential impact of service outages.

1. Immediately restrict upload permissions to only trusted users and roles, minimizing the number of users with Author-level or higher access. 2. Implement strict file upload validation at the web server or application firewall level to block dangerous file types and extensions commonly used for code execution (e.g., .php, .exe, .js). 3. Monitor and audit file upload directories for suspicious or unauthorized files regularly. 4. Employ web application firewalls (WAF) with rules to detect and block arbitrary file upload attempts targeting this plugin. 5. Disable or remove the All-in-One Video Gallery plugin if not essential until a security patch is released. 6. Keep WordPress core and all plugins updated; apply security patches from plugins360 promptly once available. 7. Use principle of least privilege for WordPress user roles to limit potential exploitation. 8. Conduct regular security assessments and penetration testing focused on file upload functionalities. 9. Backup website data frequently to enable quick recovery in case of compromise. 10. Educate site administrators about the risks of arbitrary file uploads and signs of compromise.