Executive Summary

CVE-2026-56347 is a stored cross-site scripting (XSS) vulnerability in the AVideo TopMenu plugin up to version 26.0. It occurs because the plugin renders menu item fields such as icon classes, URLs, and text labels directly into HTML without proper escaping or output encoding.

This flaw allows attackers to inject malicious JavaScript code into these menu items, which then executes for all site visitors when they view the menu.

The vulnerability is tracked under CWE-79, which relates to improper neutralization of input during web page generation.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have several impacts including session hijacking, phishing, content modification, and unauthorized actions performed on behalf of users.

Because the malicious JavaScript executes for all site visitors, attackers can steal session cookies or perform actions without user consent.

The vulnerability can be exploited even without direct admin access by tricking an admin into visiting a malicious page, due to lack of CSRF protection in the plugin.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves stored cross-site scripting in the AVideo TopMenu plugin through unescaped menu item fields such as icon classes, URLs, and text labels. Detection typically involves inspecting the menu items for malicious JavaScript code injected into these fields.

Since the vulnerability is related to stored XSS in web application content, detection can be done by reviewing the menu item data stored in the application database or by examining the rendered HTML output for unescaped script tags or suspicious JavaScript code.

There are no specific commands provided in the resources for automated detection on the network or system.

Useful 0 Not Useful 0

Mitigation Strategies

The recommended immediate mitigation is to apply proper output encoding to all user-controlled data in the plugin's templates.

Specifically, applying the PHP function htmlspecialchars() with the ENT_QUOTES flag to all outputs of icon classes, URLs, and text labels in the TopMenu plugin will neutralize malicious scripts.

Additionally, be aware that the menuItemSave.json.php endpoint lacks CSRF protection, so implementing CSRF tokens or other protections can help prevent exploitation by tricking admins into saving malicious menu items.

Until a patch is applied, restrict admin access and educate administrators to avoid visiting untrusted pages that could exploit this vulnerability.

Useful 0 Not Useful 0

Compliance Impact

The stored cross-site scripting (XSS) vulnerability in the AVideo TopMenu plugin allows attackers to inject malicious JavaScript that can steal session cookies or perform unauthorized actions. This can lead to unauthorized access to user data and session hijacking.

Such unauthorized access and potential data breaches can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring secure handling of user data.

Therefore, this vulnerability poses a risk to maintaining compliance with these standards by exposing user data to potential compromise through session hijacking and unauthorized actions.

Useful 0 Not Useful 0