The identified flaw is an Insecure Direct Object Reference in the setPassword.json.php endpoint of the CustomizeUser plugin. Administrative users are able to set the channel password for any user account. Due to a logic error, any password that contains non‑numeric characters is silently converted to the integer zero before storage, so the channel password always becomes 0. An attacker who has administrative privileges can therefore reset a channel’s password to a predictable value, and any visitor can simply enter 0 to gain access to protected channel content. This ticket is classified as CWE‑639, representing an authorization bypass through user‑controlled input. Consequently, the vulnerability permits unauthorized users to view channel‑protected media that should only be visible to the channel owner or authorized personnel.

The affected product is the WWBN AVideo open‑source video platform. All releases before version 26.0 are susceptible, as the setPassword.json.php endpoint ships with the CustomizeUser plugin in those versions. No specific sub‑modules or third‑party components are highlighted outside this platform.

The CVSS score of 5.1 places the issue in the moderate severity band. The EPSS score is not provided, and the vulnerability is not listed in the CISA KEV catalog, suggesting a lower public exploitation prevalence. However, the attack requires an authenticated administrator to invoke the vulnerable endpoint; once that occurs, the resulting channel password reset can be exploited by any web visitor, leading to unintended disclosure of channel content. No public exploitation evidence exists, but the logical flaw can be abused with minimal effort by a compromised administrator or through lateral movement within a privileged user’s session.