WWBN AVideo, an open-source video platform, contains a path traversal vulnerability identified as CVE-2026-33293 (CWE-22) affecting versions prior to 26.0. The vulnerability exists in the plugin/CloneSite/cloneServer.json.php file, specifically in the handling of the deleteDump parameter. This parameter is passed directly to the PHP unlink() function without any path sanitization or validation, allowing an attacker with valid clone credentials to craft path traversal sequences (e.g., ../../) to delete arbitrary files on the server filesystem. Such arbitrary file deletion can target critical application files like configuration.php, which may cause complete denial of service by breaking application functionality or facilitate further attacks by removing security-critical files. The vulnerability requires authentication with clone privileges but does not require additional user interaction. The CVSS 3.1 base score is 8.1, reflecting high severity due to the ease of exploitation (low attack complexity), the requirement of privileges (PR:L), and the significant impact on integrity and availability (I:H, A:H). No known exploits are reported in the wild yet. The issue is fixed in version 26.0 by implementing proper path validation and sanitization to restrict file deletion to intended directories only.

This vulnerability can have severe consequences for organizations using affected versions of WWBN AVideo. Successful exploitation allows attackers with clone credentials to delete arbitrary files, including critical configuration and application files, leading to complete denial of service. This disrupts video platform availability, potentially impacting business operations, user experience, and service continuity. Furthermore, deletion of security-critical files may weaken the system's security posture, enabling further compromise or privilege escalation. Organizations relying on AVideo for content delivery, especially those with large user bases or critical video infrastructure, face risks of operational downtime and reputational damage. Since the vulnerability requires valid credentials, insider threats or compromised accounts pose significant risks. The lack of user interaction needed makes automated exploitation feasible once credentials are obtained.

Organizations should immediately upgrade WWBN AVideo to version 26.0 or later, where the vulnerability is patched with proper path sanitization. Until upgrading, restrict access to clone credentials to trusted personnel only and monitor their usage closely. Implement strict access controls and auditing on the cloneServer.json.php endpoint to detect and prevent unauthorized file deletion attempts. Employ web application firewalls (WAFs) with custom rules to detect and block path traversal patterns in requests targeting the deleteDump parameter. Regularly back up critical configuration and application files to enable rapid recovery in case of deletion. Conduct credential hygiene practices such as multi-factor authentication and regular credential rotation to reduce risk of credential compromise. Finally, perform security assessments and penetration testing focused on file operation endpoints to identify similar vulnerabilities.