A CSRF bug in the admin/playerUpdate.json.php endpoint of WWBN AVideo allows a malicious actor to send a cross‑origin POST request that alters the player skin configuration used across the entire platform. The issue arises because the endpoint does not validate CSRF tokens and the ORM’s ignoreTableSecurityCheck removes the additional domain‑based security layer for the plugins table. With SameSite=None cookies, the request can reach the protected endpoint from another origin, resulting in a change to the video player’s appearance.

The vendor WWBN publishes the open‑source video platform AVideo. Versions 26.0 and earlier are affected by the missing CSRF validation in the admin/playerUpdate.json.php endpoint. Up‑to‑date releases contain the fix that performs proper CSRF checks.

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attack requires a cross‑origin POST that the excluded ORM security does not block. The impact is limited to modifying the look of the video player across the platform, but an attacker could use the change to show branded or misleading content. Overall risk is moderate and exploitation is unlikely to occur widely without targeted effort.