The All‑In‑One Video Gallery plugin for WordPress contains a missing capability check in three AJAX callback functions – one that creates, one that fetches, and one that deletes media objects on the Bunny Stream CDN. Because the plugin does not verify whether the requester has the proper WordPress role, an attacker can submit a request that triggers any of these callbacks and cause a new video to be uploaded to the victim’s Bunny account or an existing video to be removed. The functions rely on a nonce for protection, but the nonce is embedded in public player templates and therefore can be obtained by an unauthenticated user.

This issue affects all installations of the plugin up to and including version 4.6.4. Any WordPress site running the All‑In‑One Video Gallery on those versions – regardless of the WordPress theme or additional plugins – is potentially vulnerable. The risk is limited to sites that use the Bunny Stream CDN integration, because the attacker would need a valid Bearer token that normally belongs to the site owner. If the site is not using Bunny Stream, the vulnerability does not expose additional risk beyond a nominal denial of service on the CDN side.

The CVSS score of 6.5 indicates moderate severity. The EPSS shows a very low likelihood of exploitation – the probability is below 1% – and the flaw is not listed in CISA’s KEV catalog, further supporting the low current threat level. Nonetheless, the exposure of an operational nonce and the absence of an authorization check create a clear path for an unauthenticated attacker to alter data in a third‑party service, potentially leading to content loss or malicious content injection. Therefore, mitigation should be pursued before a broader vulnerability assessment or regulatory compliance review extends the risk window.