CVE-2025-12966 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting the All-in-One Video Gallery plugin for WordPress, specifically versions 4.5.4 through 4.5.7. The root cause is the absence of proper file type validation in the resolve_import_directory() function, which handles file uploads within the plugin. Authenticated users with Author-level privileges or higher can exploit this flaw to upload arbitrary files, including potentially malicious scripts, to the web server hosting the WordPress site. This capability can lead to remote code execution (RCE), allowing attackers to execute arbitrary commands, escalate privileges, and compromise the entire server environment. The vulnerability is remotely exploitable over the network without requiring user interaction beyond authentication, making it a critical risk for sites using this plugin. The CVSS v3.1 score of 8.8 reflects the high impact on confidentiality, integrity, and availability, combined with low attack complexity and privileges required. While no public exploits have been reported yet, the vulnerability's nature and ease of exploitation make it a prime target for attackers once weaponized. The plugin is widely used in WordPress environments, which are prevalent globally, increasing the potential attack surface. The lack of an official patch at the time of publication necessitates immediate mitigation efforts by administrators.

The impact of CVE-2025-12966 is severe for organizations running WordPress sites with the vulnerable All-in-One Video Gallery plugin. Successful exploitation can lead to remote code execution, enabling attackers to take full control of the affected web server. This can result in data breaches, defacement, deployment of malware or ransomware, lateral movement within the network, and disruption of services. Confidential information stored or processed by the website can be exposed or altered, damaging organizational reputation and potentially leading to regulatory penalties. The vulnerability's exploitation requires only Author-level access, which is commonly granted to contributors or content creators, increasing the risk from insider threats or compromised user accounts. Given WordPress's dominant market share in content management systems worldwide, the scope of affected systems is extensive. The availability of the plugin in many websites means that a large number of organizations, including small businesses, media companies, and enterprises, could be impacted. The absence of known exploits currently provides a window for proactive defense, but the risk of rapid exploitation remains high once exploit code becomes public.

To mitigate CVE-2025-12966, organizations should immediately audit their WordPress installations for the presence of the All-in-One Video Gallery plugin versions 4.5.4 to 4.5.7. Until an official patch is released, administrators should restrict plugin usage to trusted users only, ideally limiting Author-level access or higher to essential personnel. Implement strict file upload monitoring and logging to detect any unauthorized or suspicious uploads. Employ web application firewalls (WAFs) with rules designed to detect and block malicious file uploads or unusual HTTP requests targeting the plugin's upload functionality. Consider disabling or removing the plugin temporarily if it is not critical to operations. Harden the WordPress environment by applying the principle of least privilege, ensuring that the web server user has minimal permissions to execute uploaded files. Regularly back up website data and configurations to enable rapid recovery in case of compromise. Stay alert for official patches or updates from the plugin vendor and apply them promptly once available. Additionally, conduct user training to reduce the risk of credential compromise that could facilitate exploitation.