Attack Vectors

All-in-One Video Gallery (slug: all-in-one-video-gallery) versions 4.7.1 and earlier are affected by a Medium-severity vulnerability (CVSS 6.1, CVE-2026-1706) that can be exploited remotely over the internet.

The issue is a Reflected Cross-Site Scripting (XSS) flaw involving the ‘vi’ parameter. An unauthenticated attacker can craft a malicious link that, when clicked, can cause script content to run in the victim’s browser within the context of your site.

This type of attack typically relies on user interaction (for example, a staff member clicking a link in an email, chat message, social media DM, or a forged support request). Because no login is required for the attacker, the primary “gate” is whether they can convincingly prompt a click.

Security Weakness

The root cause is insufficient input sanitization and output escaping for the ‘vi’ parameter in the All-in-One Video Gallery plugin (all versions up to and including 4.7.1).

In business terms, this means untrusted data can be reflected back into a page in a way that the browser may treat as executable content. While this is categorized as Medium severity, it is still a meaningful risk because it can be used as a stepping-stone to compromise accounts, manipulate customer sessions, or undermine trust in your brand.

Remediation is straightforward: update to version 4.7.5 or newer (a patched version). Source: Wordfence vulnerability advisory. CVE record: CVE-2026-1706.

Technical or Business Impacts

If exploited successfully, Reflected XSS can lead to outcomes that matter to executives and compliance teams, such as session hijacking (where a user’s authenticated session is abused), unauthorized actions performed in the user’s browser, or misleading content displayed to staff or customers.

From a business-risk perspective, this can translate into brand damage (customers encountering unexpected behavior on your site), increased fraud and support costs, and compliance exposure if user data or authenticated access is misused. Even when the vulnerability requires a click, it is commonly paired with phishing and social engineering, which can target marketing, finance, and operations teams.

Similar attacks have impacted well-known organizations through browser-based injection and web scripting weaknesses, including British Airways (Magecart-style web skimming), Ticketmaster (third-party script compromise), and other e-commerce web injection incidents.

Recommended next step: confirm whether your WordPress site uses All-in-One Video Gallery and, if so, prioritize an upgrade to 4.7.5+ as part of routine patch management. This reduces the likelihood of staff-targeted click attacks turning into real incidents.