Unauthorized Data Modification in All-in-One Video Gallery Plugin for WordPress
CVE-2025-15516

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: All-in-one Video Gallery
Vendor: CVE Published:; 24 January 2026

What is CVE-2025-15516?

The All-in-One Video Gallery plugin for WordPress has a vulnerability that allows authenticated attackers, possessing Subscriber-level access and above, to manipulate data without proper authorization. This is due to a missing capability check in the ajax_callback_store_user_meta() function, enabling attackers to modify arbitrary string-based user meta keys for their own accounts from versions 4.1.0 to 4.6.4.

Affected Version(s)

All-in-One Video Gallery 4.1.0 <= 4.6.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/all-in-one-vid...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 24, 2026
Vulnerability Reserved
Jan 13, 2026

Credit

Kenneth Dunn

CVE-2025-15516 Data

JSON