Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint (admin/save.json.php) lacks any CSRF token validation. There is no call to isGlobalTokenValid() or verifyToken() before processing the request. Combined with the application's explicit SameSite=None cookie policy, an attacker can forge cross-origin POST requests from a malicious page to overwrite arbitrary plugin settings on a victim administrator's session. Because the plugins table is included in the ignoreTableSecurityCheck() array in objects/Object.php, standard table-level access controls are also bypassed. This allows a complete takeover of platform functionality by reconfiguring payment processors, authentication providers, cloud storage credentials, and more. At time of publication, there are no publicly available patches.
Published: 2026-03-31
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation leading to full administrative takeover and payment credential compromise
Action: Apply Workaround
AI Analysis

Impact

A flawed CSRF validation in AVideo’s admin plugin configuration endpoint allows an attacker to forge cross‑origin POST requests that overwrite any plugin setting. By bypassing normal token checks and the table‑level security guard, the attacker gains ability to reconfigure payment processors, authentication providers, and cloud storage credentials, effectively taking control of the platform.

Affected Systems

Every installation of WWBN AVideo running version 26.0 or earlier is affected, because the vulnerability resides in the admin/save.json.php endpoint and the application’s SameSite=None cookie policy.

Risk and Exploitability

The CVSS Base Score of 8.1 indicates high severity. The EPSS score of less than 1 % suggests limited current exploitation, and the issue is not in the CISA KEV catalog. The attack requires an attacker to host a malicious page that a logged‑in administrator visits while the session cookie is present. The forged request is then accepted without validation, giving the attacker full administrative capabilities. Until a vendor patch is released, the risk remains significant for any site that uses third‑party payment or storage services.

Generated by OpenCVE AI on April 2, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Temporarily enforce a stricter SameSite cookie policy (Lax or Strict) for the admin session to block cross‑origin POST requests
  • Restrict the admin interface to trusted IPs or a WAF that blocks POSTs to /admin/save.json.php from external origins
  • Monitor the plugins table for unauthorized changes and alert administrators immediately
  • If feasible, modify admin/save.json.php to include a CSRF token validation (e.g., call verifyToken() or isGlobalTokenValid()) before processing configuration changes
  • Keep the system updated and monitor WWBN’s repository for any official fix, applying it as soon as it becomes available

Generated by OpenCVE AI on April 2, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4wwr-7h7c-chqr AVideo's CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
Vendors & Products Wwbn
Wwbn avideo
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint (admin/save.json.php) lacks any CSRF token validation. There is no call to isGlobalTokenValid() or verifyToken() before processing the request. Combined with the application's explicit SameSite=None cookie policy, an attacker can forge cross-origin POST requests from a malicious page to overwrite arbitrary plugin settings on a victim administrator's session. Because the plugins table is included in the ignoreTableSecurityCheck() array in objects/Object.php, standard table-level access controls are also bypassed. This allows a complete takeover of platform functionality by reconfiguring payment processors, authentication providers, cloud storage credentials, and more. At time of publication, there are no publicly available patches.
Title AVideo: CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T13:40:10.738Z

Reserved: 2026-03-27T13:45:29.619Z

Link: CVE-2026-34394

cve-icon Vulnrichment

Updated: 2026-04-01T13:39:57.867Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T21:16:30.660

Modified: 2026-04-01T20:38:14.020

Link: CVE-2026-34394

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:10:44Z

Weaknesses