CVE-2026-33507
CSRF Vulnerability in WWBN AVideo Plugin Upload Enables RCE
Publication date: 2026-03-23
Last updated on: 2026-03-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-33507 is a Cross-Site Request Forgery (CSRF) vulnerability in the WWBN AVideo platform (versions up to 26.0) that affects the plugin import endpoint (`objects/pluginImport.json.php`). This endpoint allows authenticated admin users to upload and install plugin ZIP files containing executable PHP code but lacks CSRF protection.'}, {'type': 'paragraph', 'content': "Because the application sets the session cookie's SameSite attribute to 'None' for HTTPS connections, browsers include session cookies in cross-origin requests. An attacker can craft a malicious webpage that, when visited by an authenticated admin, silently uploads a malicious plugin ZIP containing a PHP webshell. This leads to Remote Code Execution (RCE) on the server without the admin's knowledge."}, {'type': 'paragraph', 'content': 'The vulnerability arises from the combination of missing CSRF token validation on the plugin import endpoint and the permissive cookie settings that allow cross-origin requests to carry session cookies.'}] [2]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability allows an unauthenticated attacker to achieve Remote Code Execution on the AVideo server by exploiting an authenticated admin's session via a CSRF attack."}, {'type': 'list_item', 'content': 'Full server compromise under the web server user context.'}, {'type': 'list_item', 'content': 'Installation of malicious plugins containing PHP webshells.'}, {'type': 'list_item', 'content': 'Execution of arbitrary OS commands on the server.'}, {'type': 'list_item', 'content': 'Potential data exfiltration, lateral movement, database access, and privilege escalation.'}, {'type': 'list_item', 'content': 'The attack requires only that an admin visits a malicious webpage, making it stealthy and invisible to the admin.'}] [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring for unauthorized or suspicious plugin uploads to the AVideo platform, especially POST requests to the `objects/pluginImport.json.php` endpoint without valid CSRF tokens.'}, {'type': 'paragraph', 'content': 'Since the vulnerability exploits the lack of CSRF protection, you can check server logs for POST requests to the plugin import endpoint that do not include a valid CSRF token or originate from unexpected sources.'}, {'type': 'paragraph', 'content': 'Suggested commands include inspecting web server access logs for suspicious POST requests:'}, {'type': 'list_item', 'content': "grep 'POST /objects/pluginImport.json.php' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep 'POST /objects/pluginImport.json.php' /var/log/nginx/access.log"}, {'type': 'paragraph', 'content': 'Additionally, you can monitor for the presence of unexpected plugin directories or files, such as webshells, by scanning the plugin directory:'}, {'type': 'list_item', 'content': 'ls -l /path/to/avideo/plugin/'}, {'type': 'list_item', 'content': "find /path/to/avideo/plugin/ -name '*.php' -exec grep -l 'exec\\|shell_exec\\|system' {} +"}, {'type': 'paragraph', 'content': 'Network monitoring tools can also be configured to alert on cross-origin POST requests to the plugin import endpoint that include session cookies but lack CSRF tokens.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the patch that adds CSRF token validation to the plugin import endpoint and updates the plugin upload form to include a CSRF token.
Specifically:
- Update to the fixed version of AVideo that includes the commit d1bc1695edd9ad4468a48cea0df6cd943a2635f3.
- Ensure that the `pluginImport.json.php` endpoint validates a global CSRF token (`globalToken`) and rejects requests without a valid token with HTTP 403.
- Modify the plugin upload form (`managerPluginUpload.php`) to include the hidden CSRF token input and send this token with upload requests.
- Consider changing the session cookie `SameSite` attribute from `null` to `Lax` if cross-origin embedding is not required, to reduce CSRF risks.
Additionally, restrict admin access to trusted networks and educate administrators to avoid visiting untrusted or suspicious websites while authenticated.