CVE-2025-14947 is a vulnerability classified under CWE-862 (Missing Authorization) found in the All-in-One Video Gallery plugin for WordPress, developed by plugins360. The flaw exists in the AJAX callback functions `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video`, which lack proper capability checks to verify whether the requester is authorized to perform video creation, retrieval, or deletion operations on the Bunny Stream CDN linked to the victim's account. The vulnerability affects all versions up to and including 4.6.4. Attackers can exploit this by obtaining a valid nonce, which is exposed in publicly accessible player templates, enabling unauthenticated remote attackers to manipulate video content without needing authentication or user interaction. The vulnerability impacts the integrity and availability of video content hosted on Bunny Stream CDN, potentially allowing attackers to disrupt services or inject unauthorized content. The CVSS v3.1 score is 6.5 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to integrity and availability. No known exploits have been reported in the wild, and no official patches have been published at the time of analysis. The vulnerability highlights a critical security design flaw in the plugin's authorization model, emphasizing the need for robust capability checks in AJAX handlers that interact with external content delivery networks.

For European organizations, this vulnerability poses a risk primarily to the integrity and availability of video content hosted via the All-in-One Video Gallery plugin integrated with Bunny Stream CDN. Organizations relying on this plugin for marketing, training, or customer engagement could face unauthorized video deletions or injections, leading to service disruption, reputational damage, and potential misinformation if malicious content is uploaded. The lack of authentication requirements and the public exposure of the nonce increase the risk of automated exploitation attempts. While confidentiality is not directly impacted, the manipulation of publicly visible content can indirectly affect trust and user experience. The impact is more pronounced for media companies, educational institutions, and e-commerce platforms in Europe that utilize WordPress and Bunny Stream CDN for video delivery. Additionally, the disruption of video services could affect compliance with digital accessibility and content integrity regulations under EU law.

1. Immediately audit and restrict the exposure of nonces in public player templates to prevent unauthorized access. 2. Implement strict capability and authorization checks within the AJAX callback functions to ensure only authenticated and authorized users can create, retrieve, or delete videos. 3. Monitor all video content changes on Bunny Stream CDN for unauthorized modifications and maintain detailed logs for forensic analysis. 4. Temporarily disable or restrict the All-in-One Video Gallery plugin’s integration with Bunny Stream CDN until a security patch is available. 5. Engage with the plugin vendor (plugins360) and WordPress security community to track patch releases and apply updates promptly. 6. Employ Web Application Firewalls (WAF) with custom rules to detect and block suspicious AJAX requests targeting the vulnerable endpoints. 7. Educate site administrators about the risks of nonce exposure and best practices for secure plugin configuration. 8. Consider alternative video gallery plugins with verified security postures if immediate patching is not feasible.