CVE-2026-34613
CSRF Vulnerability in WWBN AVideo Plugin Management Enables Security Bypass
Publication date: 2026-03-31
Last updated on: 2026-04-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to disable critical security plugins such as two-factor authentication (2FA), subscription enforcement, or access control plugins by exploiting a CSRF weakness combined with session cookie settings. This can lead to weakened security controls and unauthorized access.
While the CVE description does not explicitly mention compliance with standards like GDPR or HIPAA, the ability to disable security mechanisms could potentially result in non-compliance with these regulations, which require adequate access controls and protection of sensitive data.
Can you explain this vulnerability to me?
This vulnerability exists in WWBN AVideo versions 26.0 and prior, specifically in the endpoint objects/pluginSwitch.json.php. This endpoint allows administrators to enable or disable any installed plugin and checks for an active admin session but does not validate a CSRF token.
Additionally, the plugins database table is excluded from ORM-level Referer/Origin domain validation, which means that the usual security checks are bypassed. Because session cookies have SameSite=None, an attacker can trick an administrator into visiting a malicious page that causes critical security plugins to be disabled without the administrator's consent.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can disable critical security plugins such as LoginControl for two-factor authentication, subscription enforcement, or access control plugins.
This can lead to a reduction in the security posture of the affected system, potentially allowing unauthorized access or bypassing important security controls.
What immediate steps should I take to mitigate this vulnerability?
Since there are no publicly available patches at the time of publication, immediate mitigation steps should focus on reducing the risk of exploitation.
- Restrict administrative access to trusted networks and users only.
- Avoid having administrators visit untrusted or potentially malicious websites while logged into the AVideo admin interface.
- Consider disabling or limiting the use of the vulnerable endpoint objects/pluginSwitch.json.php if possible.
- Monitor administrative sessions and plugin status for unexpected changes.