Impact
The Video Gallery – YouTube Gallery, Playlist & Video Grid plugin for WordPress contains an Arbitrary Function Call flaw in all releases up to and including 4.0.3. The vulnerability arises in the emd_delete_file() AJAX handler, where the user‑supplied 'path' parameter is sanitized only with sanitize_text_field() and any trailing '_PLUGIN_DIR' substring is removed. The remaining value is then invoked as a PHP function name with no arguments through a variable function call. No capability checks are performed, so the endpoint is protected solely by a nonce that is emitted on any front‑end page that renders a form shortcode containing file fields. This allows an attacker to trigger calls to any zero‑argument PHP function (for example phpinfo, phpversion, get_defined_vars, error_get_last), exposing sensitive information and potentially providing further entry points for compromise. The exposed functions can reveal environment details, configuration settings, or other internal data that could be leveraged in subsequent exploits, such as code execution or credential theft. The vulnerable code is contained in includes/common-functions.php, and the AJAX route is available to any authenticated user who can obtain the relevant nonce.
Affected Systems
The affected product is the Video Gallery – YouTube Gallery, Playlist & Video Grid plugin authored by emarket‑design. Vulnerable versions are all releases up to 4.0.3. No other vendors or products are listed as impacted.
Risk and Exploitability
The CVSS score of 7.5 indicates a high impact vulnerability. Because the handler lacks proper authorization checks, it is inferred that any logged‑in user who holds Subscriber level privileges or higher can exploit the flaw if they can obtain a valid request nonce. The attacker must construct an HTTP request to the AJAX endpoint, injecting the function name into the 'path' parameter. EPSS data is unavailable, and the issue is not present in the CISA KEV catalog, but the straightforward attack path and lack of capability verification make the vulnerability actionable on any site running the specific plugin version.
OpenCVE Enrichment