Executive Summary

CVE-2026-33867 is a vulnerability in the WWBN AVideo platform versions up to and including 26.0 where video passwords are stored in plaintext in the database without any hashing, salting, or encryption.

The setter method for video passwords only trims the input and saves it directly, and the password check compares the entered password directly to the stored plaintext password without cryptographic verification.

If an attacker gains read access to the database through SQL injection, leaked backups, or misconfigured access controls, they can retrieve all video passwords in cleartext without any effort to crack them.

This vulnerability is classified as Cleartext Storage of Sensitive Information (CWE-312) and has a high severity rating.

Useful 0 Not Useful 0

Impact Analysis

If exploited, this vulnerability allows attackers who gain read access to the database to obtain all video passwords in plaintext.

Since users often reuse passwords across different services, attackers can use these exposed passwords to compromise other accounts or services.

This can lead to unauthorized access to protected video content and potentially broader credential harvesting and account compromises.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by inspecting the database for video passwords stored in plaintext. Specifically, you can query the videos table to find any non-empty video_password entries that are not hashed.

• Run the SQL command: SELECT clean_title, video_password FROM videos WHERE video_password != ''; to retrieve all video passwords stored in plaintext.
• Check for any SQL injection vulnerabilities that might allow unauthorized read access to the database.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves updating the AVideo platform to a patched version where video passwords are hashed using bcrypt.

• Upgrade to AVideo version 29.0 or later, which includes the fix that hashes video passwords upon storage.
• Apply the patch that changes password storage to use PHP's password_hash($video_password, PASSWORD_BCRYPT) function.
• Verify passwords on access using password_verify to prevent plaintext password exposure.
• Restrict and audit database access controls to prevent unauthorized read access.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability involves storing video passwords in plaintext in the database without hashing, salting, or encryption. This cleartext storage of sensitive information (CWE-312) poses a significant risk if an attacker gains read access to the database, potentially exposing user credentials.

Such insecure handling of sensitive data can lead to non-compliance with common data protection standards and regulations like GDPR and HIPAA, which require appropriate protection of personal and sensitive information to prevent unauthorized access and data breaches.

Because passwords are stored in plaintext, this vulnerability increases the risk of credential harvesting and broader account compromise, which can result in violations of privacy and security requirements mandated by these regulations.

Useful 0 Not Useful 0