CVE-2026-34375
Received Received - Intake
Stored XSS in WWBN AVideo YPTWallet Exposes Credentials

Publication date: 2026-03-27

Last updated on: 2026-03-31

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the YPTWallet Stripe payment confirmation page directly echoes the `$_REQUEST['plugin']` parameter into a JavaScript block without any encoding or sanitization. The `plugin` parameter is not included in any of the framework's input filter lists defined in `security.php`, so it passes through completely raw. An attacker can inject arbitrary JavaScript by crafting a malicious URL and sending it to a victim user. The same script block also outputs the current user's username and password hash via `User::getUserName()` and `User::getUserPass()`, meaning a successful XSS exploitation can immediately exfiltrate these credentials. Commit fa0bc102493a15d79fe03f86c07ab7ca1b5b63e2 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34375
EUVD
EUVD-2026-16752
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34375 is a high-severity reflected Cross-Site Scripting (XSS) vulnerability in the WWBN AVideo platform, specifically in the YPTWallet Stripe payment confirmation page. The vulnerability occurs because the `plugin` parameter from the HTTP request is directly inserted into a JavaScript block without any encoding or sanitization.

Since the `plugin` parameter is not filtered or sanitized by the framework, an attacker can craft a malicious URL that injects arbitrary JavaScript code. This injected script runs in the context of any authenticated user who clicks the link.

Additionally, the vulnerable script outputs the current user's username and password hash in the same JavaScript block, allowing an attacker to immediately steal these credentials if the XSS is successful.

Compliance Impact

The vulnerability allows an attacker to execute arbitrary JavaScript in the context of an authenticated user, leading to immediate credential theft including usernames and password hashes. This exposure of sensitive personal data can result in unauthorized access and account takeover.

Such a breach of sensitive user information can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive data against unauthorized access and disclosure.

Therefore, exploitation of this vulnerability could cause violations of these standards by compromising confidentiality and potentially leading to data breaches.

Impact Analysis

This vulnerability can have several serious impacts:

  • Arbitrary JavaScript execution in the context of authenticated users, allowing attackers to perform actions on their behalf.
  • Immediate theft of usernames and password hashes due to their exposure in the vulnerable script block.
  • Session hijacking by stealing session cookies through injected scripts.
  • Manipulation of payment processes, such as altering payment amounts or redirecting payment confirmations.
  • Potential account takeover by using stolen credentials for offline cracking or replay attacks.
Detection Guidance

This vulnerability can be detected by identifying if the YPTWallet Stripe payment confirmation page in WWBN AVideo versions up to 26.0 directly echoes the `plugin` parameter from HTTP requests into a JavaScript block without encoding or sanitization.

One practical way to detect the vulnerability is to send crafted HTTP requests to the `addFunds.php` page with malicious `plugin` parameter values and observe if arbitrary JavaScript is executed or reflected in the response.

For example, you can use curl or wget commands to test for reflected XSS by injecting a simple payload and checking the response:

  • curl -i 'http://your-avideo-site/addFunds.php?plugin=\";alert(1);//'
  • curl -i 'http://your-avideo-site/addFunds.php?plugin=<script>alert(1)</script>'

If the response contains the injected JavaScript code unencoded inside a script block, the vulnerability is present.

Additionally, inspecting the source code of the `confirmButton.php` file around line 116 for direct echoing of `$_REQUEST['plugin']` without encoding can confirm the vulnerability.

Mitigation Strategies

The immediate mitigation step is to apply proper encoding to the `plugin` parameter before outputting it into the JavaScript block to prevent injection of arbitrary code.

Specifically, update the code in `confirmButton.php` at line 116 to use PHP's `json_encode` function to safely encode the `plugin` parameter as a JSON string.

  • Replace: `"plugin": "<?php echo @$_REQUEST['plugin']; ?>",`
  • With: `"plugin": <?php echo json_encode((string)($_REQUEST['plugin'] ?? '')); ?>,`

This change ensures the parameter is properly escaped and prevents JavaScript injection.

If you cannot immediately patch the code, consider restricting access to the vulnerable page or disabling the affected plugin until a fix is applied.

Also, monitor for suspicious URLs containing crafted `plugin` parameters and educate users to avoid clicking untrusted links.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34375. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart