CVE-2026-34396
Stored XSS in WWBN AVideo Admin Plugin Configuration Panel
Publication date: 2026-03-31
Last updated on: 2026-04-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to inject arbitrary JavaScript into the admin panel, which can lead to unauthorized actions or data exposure when administrators visit the plugin configuration page.
Such unauthorized code execution and potential data exposure could negatively impact compliance with standards like GDPR and HIPAA, which require protection of personal data and secure administrative controls.
However, the provided information does not explicitly describe the direct impact on compliance with these regulations.
Can you explain this vulnerability to me?
This vulnerability exists in WWBN AVideo versions 26.0 and prior, where the admin panel renders plugin configuration values in HTML forms without proper output encoding such as htmlspecialchars(). Specifically, the jsonToFormElements() function in admin/functions.php directly inserts user-controlled values into textarea contents, option elements, and input attributes. This allows an attacker who can set a plugin configuration valueβeither by compromising an admin account or by exploiting a CSRF vulnerability on admin/save.json.phpβto inject arbitrary JavaScript. This malicious script executes whenever any administrator visits the plugin configuration page.
How can this vulnerability impact me? :
The vulnerability can lead to cross-site scripting (XSS) attacks within the admin panel of the AVideo platform. An attacker injecting JavaScript can execute arbitrary code in the context of the administrator's browser session. This can result in theft of admin credentials, session hijacking, unauthorized actions performed with admin privileges, or further compromise of the system.
What immediate steps should I take to mitigate this vulnerability?
Since there are no publicly available patches at the time of publication, immediate mitigation steps include restricting administrative access to trusted users only and preventing attackers from setting plugin configuration values.
Additionally, administrators should avoid visiting the plugin configuration page until a patch or update is released, as visiting this page triggers the execution of injected JavaScript.
Implementing protections against CSRF attacks on admin/save.json.php can also help prevent attackers from chaining exploits to set malicious plugin configuration values.