Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugins database table is explicitly listed in ignoreTableSecurityCheck(), which means the ORM-level Referer/Origin domain validation in ObjectYPT::save() is also bypassed. Combined with SameSite=None on session cookies, an attacker can disable critical security plugins (such as LoginControl for 2FA, subscription enforcement, or access control plugins) by luring an admin to a malicious page. At time of publication, there are no publicly available patches.
Published: 2026-03-31
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Disabling critical security plugins
Action: Assess Impact
AI Analysis

Impact

The vulnerability is a CSRF flaw in the AVideo pluginSwitch.json.php endpoint, which allows an authenticated administrator to enable or disable any installed plugin without authentication beyond the admin session and without a CSRF token. An attacker can lure an admin to a malicious webpage that automatically performs the request because session cookies have SameSite=None, thereby turning off essential security measures such as two‑factor authentication, subscription enforcement, or access controls. The flaw enables the removal of security safeguards and could lead to system compromise or data exfiltration if a malicious admin user disables protective plugins.

Affected Systems

The affected product is WWBN AVideo, versions 26.0 and any earlier releases. No specific patch or version remedy is currently available from the vendor.

Risk and Exploitability

The CVSS score of 6.5 reflects the significant impact on security controls. EPSS indicates a very low probability of exploitation (<1%), and the vulnerability is not listed in the CISA KEV catalog, suggesting that no widespread publicly known exploits exist. The likely attack vector requires social engineering to convince a legitimate administrator to visit a malicious page, after which the CSRF request automatically disables the target plugin. Even with low exploitation probability, the loss of critical security functionality represents a high‑risk scenario for any installation with active security plugins.

Generated by OpenCVE AI on April 2, 2026 at 04:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Wait for an official vendor patch and upgrade to a fixed version as soon as it is released.
  • If upgrading is not immediately possible, further restrict access to the AVideo admin interface by limiting network IP ranges or applying firewall rules so that only trusted hosts can reach the admin URL.
  • Disable or block the pluginSwitch.json.php endpoint if the platform allows removing or protecting specific files, thereby preventing CSRF attempts from disabling plugins.
  • Configure session cookies for the admin session with SameSite=Lax or Strict to reduce the chance that a CSRF request is accepted automatically.
  • Monitor administrator logs for unexpected plugin enable/disable actions and investigate any suspicious changes immediately.

Generated by OpenCVE AI on April 2, 2026 at 04:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hqxf-mhfw-rc44 AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
Vendors & Products Wwbn
Wwbn avideo
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugins database table is explicitly listed in ignoreTableSecurityCheck(), which means the ORM-level Referer/Origin domain validation in ObjectYPT::save() is also bypassed. Combined with SameSite=None on session cookies, an attacker can disable critical security plugins (such as LoginControl for 2FA, subscription enforcement, or access control plugins) by luring an admin to a malicious page. At time of publication, there are no publicly available patches.
Title AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T18:44:06.444Z

Reserved: 2026-03-30T17:15:52.501Z

Link: CVE-2026-34613

cve-icon Vulnrichment

Updated: 2026-04-01T18:43:59.311Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T21:16:31.447

Modified: 2026-04-01T20:30:11.600

Link: CVE-2026-34613

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:10:41Z

Weaknesses