Executive Summary

CVE-2026-28502 is a critical authenticated Remote Code Execution (RCE) vulnerability in the WWBN AVideo platform prior to version 24.0. It arises from the plugin upload/import functionality where an authenticated administrator can upload a specially crafted ZIP archive containing executable server-side files such as PHP scripts.

The vulnerability exists because the system only checks the ZIP file extension but does not validate the contents inside the archive. The ZIP archive is extracted directly into a web-accessible plugin directory without restrictions, allowing arbitrary PHP code execution on the server.

This flaw is due to insufficient validation of extracted file contents and unsafe extraction methods, which enable an attacker with admin privileges to execute arbitrary code remotely.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a full system compromise because it allows an authenticated administrator to execute arbitrary PHP code on the server hosting the AVideo platform.

The impact includes loss of confidentiality, integrity, and availability of the system. An attacker could run malicious code, manipulate or steal data, disrupt services, or gain further access to the underlying infrastructure.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of unauthorized or suspicious PHP files within the plugin directories of the AVideo installation, especially if these files were introduced via ZIP uploads. Since the vulnerability involves uploading specially crafted ZIP archives that extract executable PHP files into web-accessible plugin directories, monitoring these directories for unexpected files is critical.'}, {'type': 'paragraph', 'content': 'Additionally, reviewing web server logs for unusual requests or execution of unexpected PHP scripts in plugin directories may help identify exploitation attempts.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect potential exploitation include:'}, {'type': 'list_item', 'content': "Find PHP files in plugin directories that may not belong: `find /path/to/avideo/plugins/ -type f -name '*.php'`"}, {'type': 'list_item', 'content': 'Check for recently modified or created files in plugin directories: `find /path/to/avideo/plugins/ -type f -mtime -30` (files modified in the last 30 days)'}, {'type': 'list_item', 'content': "Search web server access logs for suspicious requests to plugin directories: `grep '/plugin/' /var/log/apache2/access.log | grep '.php'`"}, {'type': 'list_item', 'content': 'Audit plugin upload logs or application logs for ZIP upload activities by authenticated administrators.'}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading AVideo to version 24.0 or later, where the vulnerability has been patched with improved validation and secure handling of plugin ZIP uploads.

If upgrading immediately is not possible, consider the following workarounds:

• Disable the plugin upload/import functionality to prevent uploading of malicious ZIP archives.
• Configure the web server to prevent execution of PHP files within the plugin upload directories, for example by disabling PHP execution in those directories via web server configuration.
• Manually audit and remove any suspicious or unauthorized files in the plugin directories.

Useful 0 Not Useful 0