Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginImport.json.php` endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting `session.cookie_samesite = 'None'` for HTTPS connections, an unauthenticated attacker can craft a page that, when visited by an authenticated admin, silently uploads a malicious plugin containing a PHP webshell, achieving Remote Code Execution on the server. Commit d1bc1695edd9ad4468a48cea0df6cd943a2635f3 contains a patch.
Published: 2026-03-23
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

In versions up to and including 26.0, the plugin import endpoint permits an administrator to upload and install plugin ZIP files. The application lacks CSRF protection while it explicitly sets session.cookie_samesite to 'None' for HTTPS connections. This design flaw allows an unauthenticated attacker to craft a page that, when visited by a legitimate admin, silently uploads a malicious plugin containing executable PHP code, resulting in remote code execution on the server. The weakness is a Cross‑Site Request Forgery flaw.

Affected Systems

The vulnerability affects the open‑source video platform AVideo from WWBN. All installations running version 26.0 or earlier are susceptible; newer releases incorporate a patch that removes the CSRF vulnerability in the plugin import functionality.

Risk and Exploitability

The CVSS score of 8.8 denotes a high severity, while the EPSS score of less than 1% indicates a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to lure an authenticated administrator to a malicious page that triggers the CSRF request; once the page is visited the compromise is immediate and gives full control over the server through the uploaded PHP webshell.

Generated by OpenCVE AI on March 24, 2026 at 19:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest AVideo release (26.1 or newer) that includes the plugin import CSRF fix.
  • If an update cannot be performed immediately, disable the plugin import endpoint or restrict access to trusted IP addresses or privileged users.
  • Reconfigure session.cookie_samesite to 'Strict' or 'Lax' for admin sessions to reduce CSRF risk.
  • Audit the server for unintended or recently uploaded plugins and remove any suspicious files.

Generated by OpenCVE AI on March 24, 2026 at 19:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hv36-p4w4-6vmj AVideo Affected by CSRF on Plugin Import Endpoint Enables Unauthenticated Remote Code Execution via Malicious Plugin Upload
History

Tue, 24 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 23 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginImport.json.php` endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting `session.cookie_samesite = 'None'` for HTTPS connections, an unauthenticated attacker can craft a page that, when visited by an authenticated admin, silently uploads a malicious plugin containing a PHP webshell, achieving Remote Code Execution on the server. Commit d1bc1695edd9ad4468a48cea0df6cd943a2635f3 contains a patch.
Title AVideo Affected by CSRF on Plugin Import Endpoint Enables Unauthenticated Remote Code Execution via Malicious Plugin Upload
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-23T17:09:11.687Z

Reserved: 2026-03-20T16:59:08.888Z

Link: CVE-2026-33507

cve-icon Vulnrichment

Updated: 2026-03-23T17:08:57.259Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T17:16:51.803

Modified: 2026-03-24T16:55:37.440

Link: CVE-2026-33507

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:37:24Z

Weaknesses