EUVD-2026-17630
GHSA-4wwr-7h7c-chqr
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
3Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint (admin/save.json.php) lacks any CSRF token validation. There is no call to isGlobalTokenValid() or verifyToken() before processing the request. Combined with the application's explicit SameSite=None cookie policy, an attacker can forge cross-origin POST requests from a malicious page to overwrite arbitrary plugin settings on a victim administrator's session. Because the plugins table is included in the ignoreTableSecurityCheck() array in objects/Object.php, standard table-level access controls are also bypassed. This allows a complete takeover of platform functionality by reconfiguring payment processors, authentication providers, cloud storage credentials, and more. At time of publication, there are no publicly available patches.
Analysis
Cross-site request forgery in WWBN AVideo 26.0 and earlier enables remote attackers to reconfigure critical plugin settings through forged requests targeting admin/save.json.php. The endpoint lacks CSRF token validation while the application sets SameSite=None cookies, allowing attackers to manipulate payment processors, authentication providers, and cloud storage credentials by tricking authenticated administrators into visiting malicious pages. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit admin/save.json.php access logs for unauthorized configuration changes; notify all AVideo administrators to avoid clicking untrusted links while logged in. Within 7 days: Implement network-level CSRF protection (WAF rules blocking requests to admin/save.json.php lacking valid CSRF tokens); restrict admin console access to internal networks or VPN only. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today