Description
AVideo TopMenu plugin through version 26.0 contains a stored cross-site scripting vulnerability in menu item rendering due to missing output encoding of icon classes, URLs, and text labels. Attackers can inject malicious JavaScript through unescaped menu item fields that execute for all site visitors, potentially stealing session cookies or performing unauthorized actions.
Published: 2026-06-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The AVideo TopMenu plugin renders menu item fields—icon classes, URLs, and text labels—without proper output encoding. This flaw allows an attacker to inject malicious JavaScript that will be stored and executed on every visit to pages where the menu is rendered. The resultant script can steal session cookies, perform unauthorized actions, or redirect users to malicious sites. The weakness is identified as CWE‑79, a classic stored cross‑site scripting attack.

Affected Systems

The vulnerability affects installations of the AVideo TopMenu plugin that use any version prior to a patched release. All sites running the plugin provide a menu editing interface and therefore expose the unescaped fields to potential exploitation.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk. No EPSS data is available and the flaw is not listed in CISA’s KEV catalog. The likely attack vector involves authenticated access to the menu‑item editing interface; once an attacker submits a payload, it is persisted and launched automatically for all visitors, regardless of their authentication state. Until the plugin is updated to a version that performs proper output encoding, the vulnerability remains a moderate threat that could lead to session hijacking or further compromise.

Generated by OpenCVE AI on June 20, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the AVideo TopMenu plugin to the latest available release, which should address the output encoding issue.
  • If an immediate update is not feasible, restrict menu‑item editing permissions to trusted administrators only.
  • Disable the TopMenu plugin if the affected functionality is not required by the site.
  • Review all existing menu items for injected JavaScript and remove or sanitize any payloads before they are rendered.

Generated by OpenCVE AI on June 20, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 20 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description AVideo TopMenu plugin through version 26.0 contains a stored cross-site scripting vulnerability in menu item rendering due to missing output encoding of icon classes, URLs, and text labels. Attackers can inject malicious JavaScript through unescaped menu item fields that execute for all site visitors, potentially stealing session cookies or performing unauthorized actions.
Title AVideo TopMenu Plugin - Stored Cross-Site Scripting via Unescaped Menu Item Fields
First Time appeared Wwbn
Wwbn avideo
Weaknesses CWE-79
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
Vendors & Products Wwbn
Wwbn avideo
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T18:12:45.160Z

Reserved: 2026-06-20T18:13:07.363Z

Link: CVE-2026-56347

cve-icon Vulnrichment

Updated: 2026-06-22T17:55:04.927Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T20:30:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')