CVE-2025-36548 is a cross-site scripting (XSS) vulnerability identified in the WWBN AVideo platform, specifically affecting versions 14.4 and the development master branch at commit 8a8954ff. The vulnerability resides in the LoginWordPress loginForm's cancelUri parameter, which fails to properly neutralize user-supplied input during web page generation. This improper input sanitization allows an attacker to inject and execute arbitrary JavaScript code within the victim's browser when the victim visits a specially crafted URL. The attack vector requires the victim to interact by clicking or visiting a malicious link, which then triggers the execution of the injected script. The CVSS 3.1 base score of 8.3 reflects a high severity, with the vector indicating network attack complexity is high, no privileges are required, but user interaction is necessary. The scope is changed (S:C), meaning the vulnerability can affect components beyond the initially vulnerable module, and the impact on confidentiality, integrity, and availability is high. This XSS flaw can lead to session hijacking, theft of sensitive information, unauthorized actions on behalf of the user, and potentially further exploitation of the affected system. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was publicly disclosed on July 24, 2025, and assigned by Talos. Given the nature of AVideo as a video hosting and streaming platform, exploitation could impact user trust and service availability.

For European organizations using WWBN AVideo, particularly those in media, education, or corporate training sectors, this vulnerability poses significant risks. Successful exploitation could lead to unauthorized access to user sessions, leakage of sensitive user data, and potential defacement or manipulation of video content. This could damage organizational reputation, lead to regulatory non-compliance (especially under GDPR due to data confidentiality breaches), and disrupt service availability. The high impact on confidentiality, integrity, and availability means attackers could impersonate users, escalate privileges, or conduct phishing campaigns leveraging the compromised platform. Organizations relying on AVideo for customer engagement or internal communications may face operational disruptions and loss of user trust. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in environments where users may be less security-aware.

To mitigate this vulnerability, organizations should immediately assess their use of WWBN AVideo versions 14.4 or the affected dev master branch and plan for an upgrade once a patch is released. In the interim, implement strict input validation and sanitization on the cancelUri parameter to ensure no executable scripts can be injected. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Educate users to avoid clicking on suspicious links and consider implementing web application firewalls (WAFs) with rules targeting XSS patterns specific to this vulnerability. Monitor logs for unusual activity related to loginForm requests and cancelUri parameters. If possible, disable or restrict the use of the vulnerable loginForm feature until a fix is available. Regularly update and audit third-party components and dependencies to reduce exposure to similar vulnerabilities.