WWBN AVideo, an open-source video platform, suffers from a critical vulnerability (CVE-2026-33478) in its CloneSite plugin up to version 26.0. The vulnerability chain begins with the `clones.json.php` endpoint exposing clone secret keys without any authentication, allowing attackers to retrieve sensitive credentials. Using these keys, attackers can invoke the `cloneServer.json.php` endpoint to perform a full database dump, which contains admin password hashes stored using MD5, a weak hashing algorithm susceptible to trivial cracking. Once admin credentials are compromised, attackers exploit an OS command injection vulnerability in the `cloneClient.json.php` endpoint. This injection occurs during the construction of an rsync command, enabling arbitrary system command execution on the server. The vulnerability requires no privileges or user interaction, making it highly exploitable remotely. The flaw impacts confidentiality (database and credentials exposure), integrity (unauthorized command execution), and availability (potential system compromise). A patch addressing this issue is available in commit c85d076375fab095a14170df7ddb27058134d38c. The CVSS v3.1 score is 10.0, indicating a critical severity with network attack vector, low attack complexity, no privileges required, no user interaction, and scope change.

This vulnerability allows attackers to fully compromise affected AVideo servers remotely without authentication. The exposure of clone secret keys and subsequent database dumps leaks sensitive data, including admin credentials hashed with MD5, which can be cracked easily. With admin access, attackers can execute arbitrary OS commands, potentially leading to full system takeover, data theft, service disruption, or use of the server as a pivot point for further attacks. Organizations relying on AVideo for video hosting or streaming risk severe confidentiality breaches, loss of data integrity, and denial of service. The critical nature of this flaw means exploitation could result in significant operational and reputational damage, especially for entities hosting sensitive or proprietary video content.

Organizations should immediately apply the patch referenced in commit c85d076375fab095a14170df7ddb27058134d38c or upgrade to a version beyond 26.0 where this vulnerability is fixed. Until patched, restrict network access to the affected endpoints (`clones.json.php`, `cloneServer.json.php`, and `cloneClient.json.php`) using firewalls or web application firewalls (WAFs) to limit exposure. Implement strict access controls and monitor logs for unusual activity related to these endpoints. Replace MD5 password hashes with a strong, modern hashing algorithm (e.g., bcrypt, Argon2) to prevent trivial cracking if database dumps occur. Conduct regular security audits of plugins and third-party components. Employ intrusion detection systems to detect command injection attempts and anomalous rsync usage. Finally, educate administrators on the risks of using outdated software and the importance of timely patching.