CVE-2026-33293 is a path traversal vulnerability categorized under CWE-22 affecting WWBN AVideo, an open-source video platform. The vulnerability arises because the deleteDump parameter in the plugin/CloneSite/cloneServer.json.php script is directly passed to the PHP unlink() function without any path sanitization or validation. This allows an authenticated attacker with clone credentials to craft path traversal sequences (e.g., ../../) to delete arbitrary files on the server filesystem. Critical files such as configuration.php can be targeted, potentially causing a complete denial of service by breaking the application or enabling further exploitation by removing security-critical files. The vulnerability affects all versions prior to 26.0, where proper input validation and sanitization have been implemented to mitigate this risk. The CVSS v3.1 score is 8.1, reflecting high severity due to the ease of exploitation (low complexity), the requirement for privileges (authenticated clone user), and the significant impact on integrity and availability. No user interaction is required beyond authentication. No known exploits are currently reported in the wild, but the vulnerability poses a serious risk to affected deployments.

The impact of this vulnerability is significant for organizations running WWBN AVideo versions prior to 26.0. An attacker with valid clone credentials can delete arbitrary files, including critical configuration and application files, leading to complete denial of service. This disrupts video platform availability and can cause loss of data integrity. Additionally, by deleting security-critical files, attackers may create conditions for further exploitation or persistent compromise. Organizations relying on AVideo for content delivery, especially those with sensitive or business-critical video content, face operational disruptions and potential reputational damage. The requirement for valid clone credentials limits exploitation to insiders or compromised accounts, but the impact remains high due to the destructive nature of the attack.

1. Upgrade all WWBN AVideo instances to version 26.0 or later, where the vulnerability is patched. 2. Restrict clone credentials strictly to trusted administrators and monitor their usage closely. 3. Implement additional access controls and logging around cloneServer.json.php usage to detect suspicious deletion attempts. 4. Employ file system permissions to limit the unlink() function's ability to delete critical files outside intended directories. 5. Conduct regular backups of configuration and critical files to enable rapid recovery in case of deletion. 6. Use Web Application Firewalls (WAFs) with custom rules to detect and block path traversal patterns in requests to cloneServer.json.php. 7. Perform periodic security audits and penetration testing focusing on authenticated user actions to detect similar vulnerabilities.