Impact
The vulnerability allows unauthenticated attackers to submit a private key, ciphertext, and passphrase to the decryptMessage.json.php endpoint, causing the server to perform PGP decryption and return the plaintext. Because the decrypted data can be logged, this results in exposure of sensitive key material and message content. The flaw is a missing authentication weakness (CWE‑306).
Affected Systems
The issue affects AVideo by WWBN in all releases up to and including version 25.0. Any installation that has the decryptMessage.json.php file exposed is vulnerable.
Risk and Exploitability
With a CVSS score of 6.9, the vulnerability is considered medium severity. EPSS data is not provided, and the vulnerability is not listed in CISA’s KEV catalog. An attacker can exploit the flaw by sending HTTP requests to the endpoint without credentials, immediately acquiring decrypted content and potentially exhausting server resources through repeated decryption requests.
OpenCVE Enrichment