CVE-2025-12957
Published: 16 January 2026
Summary
CVE-2025-12957 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of file uploads to prevent arbitrary files from bypassing type checks via double extensions in the WordPress plugin.
Mandates timely remediation of flaws, such as patching the All-in-One Video Gallery plugin beyond version 4.5.7 to eliminate the upload vulnerability.
Restricts the types of information inputs to the system, blocking acceptance of dangerous file types that exploit the VTT validation flaw.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload in public-facing WordPress plugin directly enables initial access via T1190, payload ingress via T1105, and web shell deployment for RCE via T1505.003.
NVD Description
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while…
more
being accepted as a valid VTT file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Deeper analysisAI
CVE-2025-12957 is an arbitrary file upload vulnerability in the All-in-One Video Gallery plugin for WordPress, affecting all versions up to and including 4.5.7. The issue stems from insufficient file type validation that incorrectly detects VTT files, enabling double extension files to bypass sanitization while being accepted as valid VTT files. This flaw, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-01-16.
Authenticated attackers with author-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By uploading crafted files, they can place arbitrary content on the affected site's server, potentially leading to remote code execution.
Mitigation involves updating the All-in-One Video Gallery plugin beyond version 4.5.7, as indicated by the patch in WordPress plugin trac changeset 3405593. Additional details are available in the Wordfence threat intelligence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/ad2e1d91-03bd-4e47-b679-81c42414238b?source=cve.
Details
- CWE(s)