EUVD-2026-16752
GHSA-pm37-62g7-p768
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Lifecycle Timeline
3Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the YPTWallet Stripe payment confirmation page directly echoes the `$_REQUEST['plugin']` parameter into a JavaScript block without any encoding or sanitization. The `plugin` parameter is not included in any of the framework's input filter lists defined in `security.php`, so it passes through completely raw. An attacker can inject arbitrary JavaScript by crafting a malicious URL and sending it to a victim user. The same script block also outputs the current user's username and password hash via `User::getUserName()` and `User::getUserPass()`, meaning a successful XSS exploitation can immediately exfiltrate these credentials. Commit fa0bc102493a15d79fe03f86c07ab7ca1b5b63e2 fixes the issue.
Analysis
Reflected cross-site scripting (XSS) in WWBN AVideo versions up to 26.0 enables credential theft through unsanitized request parameter echoed into JavaScript context. Attackers can craft malicious URLs that, when clicked by authenticated users, execute arbitrary JavaScript and exfiltrate the victim's username and password hash directly exposed in the vulnerable code block. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all WWBN AVideo deployments and confirm current version against version 26.0 baseline; restrict external access to AVideo administrative interfaces where feasible. Within 7 days: Implement WAF rules to block requests containing JavaScript payloads in request parameters destined for AVideo; conduct user awareness briefing on phishing URLs targeting AVideo login flows. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today