Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints — `objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRunUpdateScript.json.php` — enforce only a role check (`Category::canCreateCategory()` / `User::isAdmin()`) and perform state-changing actions against the database without calling `isGlobalTokenValid()` or `forbidIfIsUntrustedRequest()`. Peer endpoints in the same directory (`pluginSwitch.json.php`, `pluginRunDatabaseScript.json.php`) do enforce the CSRF token, so the missing checks are an omission rather than a design choice. An attacker who lures a logged-in admin to a malicious page can create, update, or delete categories and force execution of any installed plugin's `updateScript()` method in the admin's session. Commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2 contains a fix.
Published: 2026-04-21
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Immediate Patch
AI Analysis

Impact

Three administrative JSON endpoints in WWBN AVideo – categoryAddNew.json.php, categoryDelete.json.php, and pluginRunUpdateScript.json.php – validate only user role but omit CSRF token checks. This allows an attacker who lures a logged‑in administrator to a malicious page to create, delete or modify categories, and to trigger any installed plugin’s updateScript() method in the admin’s session. The absence of token validation is an omission, not a deliberate design choice, and the plugin update script execution can result in arbitrary code running on the server, giving the attacker full control over the system’s data and possibly the host. The vulnerability demonstrates a classic CSRF flaw (CWE‑352).

Affected Systems

WWBN AVideo, versions 29.0 and earlier, including any installations that have not applied the fix commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2.

Risk and Exploitability

The vulnerability has a CVSS score of 7.1, indicating high severity. EPSS data is not available and the issue is not listed in the CISA KEV catalog, but the presence of CSRF token omission and the ability to execute arbitrary plugin code make exploitation highly likely for attackers who can target logged‑in administrators. Likely attack vectors involve web‑based CSRF or social‑engineering techniques to trick an admin into visiting a crafted URL.

Generated by OpenCVE AI on April 22, 2026 at 06:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WWBN AVideo to version 30.0 or later, or apply the referenced commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2 to restore CSRF validation on the affected endpoints.
  • If an upgrade cannot be performed immediately, manually insert CSRF token checks (e.g., call isGlobalTokenValid() and forbidIfIsUntrustedRequest()) into pluginRunUpdateScript.json.php, categoryAddNew.json.php, and categoryDelete.json.php to block unauthorized state changes.
  • Disable or remove the pluginRunUpdateScript.json.php endpoint from the production environment or configure the application to apply the CSRF check only for administrators, ensuring that unlinking administrators’ sessions prevents accidental execution of plugin update scripts.

Generated by OpenCVE AI on April 22, 2026 at 06:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints — `objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRunUpdateScript.json.php` — enforce only a role check (`Category::canCreateCategory()` / `User::isAdmin()`) and perform state-changing actions against the database without calling `isGlobalTokenValid()` or `forbidIfIsUntrustedRequest()`. Peer endpoints in the same directory (`pluginSwitch.json.php`, `pluginRunDatabaseScript.json.php`) do enforce the CSRF token, so the missing checks are an omission rather than a design choice. An attacker who lures a logged-in admin to a malicious page can create, update, or delete categories and force execution of any installed plugin's `updateScript()` method in the admin's session. Commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2 contains a fix.
Title WWBN AVideo Vulnerable to CSRF in Admin JSON Endpoints (Category CRUD, Plugin Update Script)
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T13:58:06.149Z

Reserved: 2026-04-15T20:40:15.517Z

Link: CVE-2026-40926

cve-icon Vulnrichment

Updated: 2026-04-22T13:57:58.737Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T23:16:20.163

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-40926

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:30:10Z

Weaknesses