CVE-2025-14947 is a vulnerability classified under CWE-862 (Missing Authorization) found in the All-in-One Video Gallery plugin for WordPress, developed by plugins360. This plugin integrates video management capabilities with Bunny Stream CDN, allowing users to create, retrieve, and delete videos via AJAX callback functions: `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video`. The vulnerability arises because these functions lack proper capability checks, meaning they do not verify whether the requester is authorized to perform these actions. Although a nonce is required to invoke these AJAX endpoints, the nonce is exposed publicly within player templates, making it accessible to unauthenticated attackers. Consequently, an attacker who obtains this nonce can manipulate video content on the victim's Bunny Stream CDN account without authentication or user interaction. This can lead to unauthorized video creation or deletion, impacting the integrity and availability of video assets. The vulnerability affects all versions up to and including 4.6.4 of the plugin. The CVSS v3.1 score is 6.5 (medium severity), with attack vector Network, low attack complexity, no privileges required, no user interaction, and unchanged scope. No patches or known exploits have been reported as of the publication date (January 23, 2026).

The primary impact of CVE-2025-14947 is on the integrity and availability of video content hosted via the All-in-One Video Gallery plugin integrated with Bunny Stream CDN. Unauthorized attackers can create or delete videos on the victim's Bunny Stream account, potentially leading to content tampering, loss of critical media assets, or disruption of services relying on these videos. This can damage brand reputation, cause operational disruptions, and lead to financial losses, especially for organizations that rely heavily on video content for marketing, training, or customer engagement. Since the vulnerability requires no authentication and no user interaction, exploitation can be automated and widespread. However, confidentiality is not directly impacted as the vulnerability does not expose sensitive data. The lack of known exploits in the wild suggests limited current exploitation, but the public exposure of the nonce increases the risk of future attacks. Organizations with high reliance on WordPress and Bunny Stream CDN integrations are particularly vulnerable.

To mitigate CVE-2025-14947, organizations should take the following specific actions: 1) Immediately update the All-in-One Video Gallery plugin to a patched version once released by plugins360. In the absence of a patch, consider temporarily disabling the plugin or restricting its use. 2) Audit and restrict nonce exposure in public player templates to prevent unauthenticated access to sensitive AJAX endpoints. 3) Implement additional server-side authorization checks on AJAX callback functions to ensure only authorized users can create, retrieve, or delete Bunny Stream videos. 4) Monitor logs for unusual activity related to video creation or deletion, especially from unauthenticated sources. 5) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious AJAX requests targeting these endpoints. 6) Educate site administrators on the risks of exposing nonces publicly and best practices for secure plugin configuration. 7) Review Bunny Stream CDN account activity for unauthorized changes and rotate API keys or credentials if suspicious activity is detected. These steps go beyond generic advice by focusing on nonce management, server-side authorization enforcement, and proactive monitoring tailored to this vulnerability.