The All-in-One Video Gallery plugin for WordPress, developed by plugins360, contains a vulnerability identified as CVE-2025-15516, classified under CWE-862 (Missing Authorization). This flaw exists in versions 4.1.0 through 4.6.4 due to the absence of a capability check in the ajax_callback_store_user_meta() function. Specifically, the function fails to verify whether the authenticated user has the appropriate permissions before allowing updates to user meta data. As a result, any authenticated user with at least Subscriber-level access can update arbitrary string-based user meta keys associated with their own account. This unauthorized modification capability can be leveraged to alter user metadata, potentially affecting user profile attributes or plugin-specific data stored in user meta fields. The vulnerability does not permit modification of other users' data, nor does it directly expose confidential information or cause denial of service. The CVSS v3.1 base score is 4.3 (medium), reflecting network attack vector, low attack complexity, privileges required, no user interaction, unchanged scope, no confidentiality impact, limited integrity impact, and no availability impact. No patches or exploit code are currently publicly available, and no known active exploitation has been reported. The vulnerability was reserved and published in January 2026, with Wordfence as the assigner. This issue highlights the importance of proper authorization checks in AJAX handlers within WordPress plugins to prevent unauthorized data manipulation.

The primary impact of CVE-2025-15516 is the unauthorized modification of user meta data for the attacker's own account. While this does not directly compromise confidentiality or availability, it undermines data integrity and could facilitate indirect attacks such as privilege escalation if the altered user meta influences access controls or plugin behavior. For example, if certain capabilities or roles are stored or influenced by user meta keys, an attacker might manipulate these to gain higher privileges or bypass restrictions. Additionally, altered user meta could disrupt plugin functionality or user experience, potentially leading to misconfigurations or inconsistent application states. Organizations running WordPress sites with this plugin are at risk of having user data integrity compromised, which could affect site reliability and trustworthiness. Since the vulnerability requires authenticated access at Subscriber level or above, the risk is limited to environments where user registration or lower privilege accounts are allowed. The absence of known exploits reduces immediate threat but does not eliminate the risk of future exploitation, especially given the widespread use of WordPress and its plugins globally.

To mitigate CVE-2025-15516, organizations should: 1) Immediately update the All-in-One Video Gallery plugin to a patched version once released by plugins360. Monitor official plugin repositories and vendor advisories for updates. 2) If a patch is not yet available, implement temporary access controls to restrict Subscriber-level or lower users from accessing or triggering the vulnerable AJAX endpoint, possibly via web application firewall (WAF) rules or custom code hooks. 3) Audit user meta data for suspicious or unauthorized changes, especially focusing on fields that could influence permissions or plugin behavior. 4) Limit user registrations or enforce stricter user role assignments to reduce the number of accounts with Subscriber or higher privileges. 5) Employ principle of least privilege for user roles and review plugin configurations to minimize exposure. 6) Monitor logs for unusual AJAX requests targeting the ajax_callback_store_user_meta() function or related endpoints. 7) Educate site administrators about the risks of missing authorization checks in plugins and encourage regular security assessments of installed plugins. These steps go beyond generic advice by focusing on immediate containment, monitoring, and role management tailored to the vulnerability's specifics.