CVE-2024-4033

Name of the Vulnerable Software and Affected Versions All-in-One Video Gallery plugin for WordPress versions up to, and including, 3.6.4

Description The issue is related to missing file type validation in the aiovg create attachment from external image url function. This allows authenticated attackers with contributor access or higher to upload arbitrary files to the site's server, potentially enabling remote code execution.

Recommendations For All-in-One Video Gallery plugin for WordPress versions up to, and including, 3.6.4: Update to a version higher than 3.6.4 to resolve the issue. As a temporary workaround, consider restricting contributor access and above to minimize the risk of exploitation. Restrict access to the aiovg create attachment from external image url function until a patch is available.