CVE-2026-33507
Received Received - Intake
CSRF Vulnerability in WWBN AVideo Plugin Upload Enables RCE

Publication date: 2026-03-23

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginImport.json.php` endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting `session.cookie_samesite = 'None'` for HTTPS connections, an unauthenticated attacker can craft a page that, when visited by an authenticated admin, silently uploads a malicious plugin containing a PHP webshell, achieving Remote Code Execution on the server. Commit d1bc1695edd9ad4468a48cea0df6cd943a2635f3 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33507
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33507 is a Cross-Site Request Forgery (CSRF) vulnerability in the WWBN AVideo platform (versions up to 26.0) that affects the plugin import endpoint (`objects/pluginImport.json.php`). This endpoint allows authenticated admin users to upload and install plugin ZIP files containing executable PHP code but lacks CSRF protection.'}, {'type': 'paragraph', 'content': "Because the application sets the session cookie's SameSite attribute to 'None' for HTTPS connections, browsers include session cookies in cross-origin requests. An attacker can craft a malicious webpage that, when visited by an authenticated admin, silently uploads a malicious plugin ZIP containing a PHP webshell. This leads to Remote Code Execution (RCE) on the server without the admin's knowledge."}, {'type': 'paragraph', 'content': 'The vulnerability arises from the combination of missing CSRF token validation on the plugin import endpoint and the permissive cookie settings that allow cross-origin requests to carry session cookies.'}] [2]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows an unauthenticated attacker to achieve Remote Code Execution on the AVideo server by exploiting an authenticated admin's session via a CSRF attack."}, {'type': 'list_item', 'content': 'Full server compromise under the web server user context.'}, {'type': 'list_item', 'content': 'Installation of malicious plugins containing PHP webshells.'}, {'type': 'list_item', 'content': 'Execution of arbitrary OS commands on the server.'}, {'type': 'list_item', 'content': 'Potential data exfiltration, lateral movement, database access, and privilege escalation.'}, {'type': 'list_item', 'content': 'The attack requires only that an admin visits a malicious webpage, making it stealthy and invisible to the admin.'}] [2]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring for unauthorized or suspicious plugin uploads to the AVideo platform, especially POST requests to the `objects/pluginImport.json.php` endpoint without valid CSRF tokens.'}, {'type': 'paragraph', 'content': 'Since the vulnerability exploits the lack of CSRF protection, you can check server logs for POST requests to the plugin import endpoint that do not include a valid CSRF token or originate from unexpected sources.'}, {'type': 'paragraph', 'content': 'Suggested commands include inspecting web server access logs for suspicious POST requests:'}, {'type': 'list_item', 'content': "grep 'POST /objects/pluginImport.json.php' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep 'POST /objects/pluginImport.json.php' /var/log/nginx/access.log"}, {'type': 'paragraph', 'content': 'Additionally, you can monitor for the presence of unexpected plugin directories or files, such as webshells, by scanning the plugin directory:'}, {'type': 'list_item', 'content': 'ls -l /path/to/avideo/plugin/'}, {'type': 'list_item', 'content': "find /path/to/avideo/plugin/ -name '*.php' -exec grep -l 'exec\\|shell_exec\\|system' {} +"}, {'type': 'paragraph', 'content': 'Network monitoring tools can also be configured to alert on cross-origin POST requests to the plugin import endpoint that include session cookies but lack CSRF tokens.'}] [1, 2]

Mitigation Strategies

Immediate mitigation steps include applying the patch that adds CSRF token validation to the plugin import endpoint and updates the plugin upload form to include a CSRF token.

Specifically:

  • Update to the fixed version of AVideo that includes the commit d1bc1695edd9ad4468a48cea0df6cd943a2635f3.
  • Ensure that the `pluginImport.json.php` endpoint validates a global CSRF token (`globalToken`) and rejects requests without a valid token with HTTP 403.
  • Modify the plugin upload form (`managerPluginUpload.php`) to include the hidden CSRF token input and send this token with upload requests.
  • Consider changing the session cookie `SameSite` attribute from `null` to `Lax` if cross-origin embedding is not required, to reduce CSRF risks.

Additionally, restrict admin access to trusted networks and educate administrators to avoid visiting untrusted or suspicious websites while authenticated.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33507. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart