Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the YPTWallet Stripe payment confirmation page directly echoes the `$_REQUEST['plugin']` parameter into a JavaScript block without any encoding or sanitization. The `plugin` parameter is not included in any of the framework's input filter lists defined in `security.php`, so it passes through completely raw. An attacker can inject arbitrary JavaScript by crafting a malicious URL and sending it to a victim user. The same script block also outputs the current user's username and password hash via `User::getUserName()` and `User::getUserPass()`, meaning a successful XSS exploitation can immediately exfiltrate these credentials. Commit fa0bc102493a15d79fe03f86c07ab7ca1b5b63e2 fixes the issue.
Published: 2026-03-27
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (reflected)
Action: Patch Immediately
AI Analysis

Impact

An unauthenticated attacker can embed malicious JavaScript into the YPTWallet Stripe payment confirmation page by supplying a specially crafted `plugin` value in the URL; because the application writes the value directly into a JavaScript block without any encoding, the code runs in the victim’s browser. In addition, the page outputs the logged‑in user’s name and password hash, so a successful exploit can exfiltrate those credentials instantly.

Affected Systems

The flaw exists in the WWBN AVideo video platform, affecting all releases up to and including version 26.0; it is triggered on the YPTWallet Stripe payment confirmation page where the `plugin` query parameter is not sanitized.

Risk and Exploitability

The CVSS v3 score of 8.2 classifies this as High severity. The EPSS score is below 1 %, indicating that widespread exploitation is unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, a reflected XSS that can read the user’s password hash presents a serious risk to confidentiality and could lead to credential theft. The attack can be performed by directing a victim to a crafted URL; no privileged access is required, making it a low‑barrier exploit.

Generated by OpenCVE AI on March 31, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AVideo to any version newer than 26.0 or apply the patch referenced by commit fa0bc102493a15d79fe03f86c07ab7ca1b5b63e2.
  • Verify that the YPTWallet payment confirmation page no longer echoes the `plugin` request value raw.
  • Ensure that all user input is sanitized or filtered before being included in output, and review other pages for similar unsanitized parameters.
  • Monitor web logs for attempts to exploit the `plugin` parameter or other XSS vectors.

Generated by OpenCVE AI on March 31, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pm37-62g7-p768 AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page
History

Tue, 31 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Fri, 27 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, the YPTWallet Stripe payment confirmation page directly echoes the `$_REQUEST['plugin']` parameter into a JavaScript block without any encoding or sanitization. The `plugin` parameter is not included in any of the framework's input filter lists defined in `security.php`, so it passes through completely raw. An attacker can inject arbitrary JavaScript by crafting a malicious URL and sending it to a victim user. The same script block also outputs the current user's username and password hash via `User::getUserName()` and `User::getUserPass()`, meaning a successful XSS exploitation can immediately exfiltrate these credentials. Commit fa0bc102493a15d79fe03f86c07ab7ca1b5b63e2 fixes the issue.
Title AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T13:36:50.491Z

Reserved: 2026-03-27T13:43:14.369Z

Link: CVE-2026-34375

cve-icon Vulnrichment

Updated: 2026-03-31T13:36:39.704Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T19:16:43.107

Modified: 2026-03-31T18:48:56.307

Link: CVE-2026-34375

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:55:29Z

Weaknesses