WWBN AVideo is an open‑source video platform. In versions 26.0 and earlier, the install/test.php diagnostic script had its CLI‑only access guard disabled because the die() statement was commented out. As a result, the script remains reachable through HTTP after the application has been installed. When accessed, the script outputs detailed video‑viewer statistics, including IP addresses, session IDs, and user‑agent strings. An unauthenticated visitor can obtain this data, leading to private information leakage and potential tracking or session‑replay attacks. The weakness aligns with CWE‑200, an information‑disclosure vulnerability.

The vulnerability affects the AVideo video platform manufactured by WWBN. All installations running version 26.0 or earlier are potentially impacted. No specific subversions are listed, so any deployment of 26.0 or lower should be considered at risk.

CVSS v3 indicates a moderate risk with a score of 5.3. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a simple HTTP GET request to the script's URL, as the script is publicly accessible after installation. This exploitation requires only the knowledge of the script’s location; no authentication is needed. The disclosed information can assist attackers in identifying users or forging session‑related data, but it does not provide code execution or administrative privileges. Because the vulnerability is straightforward to exploit, administrators should address it promptly.