Arbitrary File Inclusion Vulnerability in All-in-One Video Gallery Plugin
CVE-2024-4670

8.8HIGH

Key Information:

Vendor: Wordpress
Status: All-in-one Video Gallery
Vendor: CVE Published:; 15 May 2024

What is CVE-2024-4670?

The All-in-One Video Gallery Plugin for WordPress is susceptible to a Local File Inclusion vulnerability that impacts all versions up to and including 3.6.5. This security flaw arises through the use of the aiovg_search_form shortcode, enabling authenticated users with contributor-level permissions or higher to include and execute arbitrary files stored on the server. Exploiting this vulnerability could allow attackers to bypass access controls, extract sensitive data, and execute PHP code contained in those files. This risk is heightened as it permits the inclusion of files uploaded in formats typically deemed secure, such as images.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

All-in-One Video Gallery * <= 3.6.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3085217/all-...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 15, 2024
Vulnerability Reserved
May 8, 2024

Credit

Ngô Thiên An

JSON

Wordpress

What is CVE-2024-4670?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.