The vulnerability CVE-2026-33479 affects WWBN AVideo, an open-source video platform, in versions up to and including 26.0. The issue resides in the Gallery plugin's saveSort.json.php endpoint, which processes user input from the 'sections' parameter in the $_REQUEST array. This input is passed directly into PHP's eval() function without any sanitization or validation, constituting a classic code injection flaw (CWE-94). The endpoint is protected by a check that only allows admin users (User::isAdmin()) to access it. However, the endpoint lacks Cross-Site Request Forgery (CSRF) token validation, and AVideo's session cookies are configured with SameSite=None, which does not prevent cookies from being sent in cross-site requests. Consequently, an attacker can craft a malicious webpage that triggers a CSRF attack, causing an admin user who visits the page to unknowingly execute arbitrary PHP code on the server. This results in unauthenticated remote code execution (RCE) since the attacker does not need to authenticate themselves but relies on an admin's browser session. The vulnerability has a CVSS 3.1 score of 8.8, indicating high severity with network attack vector, low attack complexity, no privileges required, user interaction required, and high impact on confidentiality, integrity, and availability. Although no known exploits are reported in the wild yet, the exploitability is straightforward given the conditions. A patch has been committed (commit 087dab8841f8bdb54be184105ef19b47c5698fcb) to sanitize inputs and add CSRF protections.

The impact of this vulnerability is severe for organizations using WWBN AVideo versions up to 26.0. Successful exploitation allows attackers to execute arbitrary PHP code on the server with administrative privileges, leading to full system compromise. This can result in data theft, data manipulation, service disruption, deployment of malware or ransomware, and use of the compromised server as a pivot point for further attacks within the network. Since the attack requires only that an admin visits a malicious webpage, social engineering or phishing campaigns could be effective. The lack of authentication requirements for the attacker combined with the high privileges of the exploited endpoint significantly increases risk. Organizations hosting sensitive video content or relying on AVideo for critical services face confidentiality, integrity, and availability risks. Additionally, the SameSite=None cookie setting exacerbates the risk by enabling cross-site requests to carry session cookies, facilitating CSRF attacks.

Organizations should immediately update WWBN AVideo to a version that includes the patch addressing CVE-2026-33479. If immediate patching is not possible, implement the following mitigations: 1) Restrict access to the Gallery plugin's saveSort.json.php endpoint to trusted IP addresses or internal networks to reduce exposure. 2) Harden admin user practices by educating them to avoid visiting untrusted websites while logged into the AVideo admin interface. 3) Modify session cookie settings to use SameSite=Lax or Strict to prevent cookies from being sent in cross-site requests, mitigating CSRF risks. 4) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the vulnerable endpoint, especially those containing suspicious 'sections' parameter values. 5) Monitor server logs for unusual POST requests to the saveSort.json.php endpoint and signs of code execution anomalies. 6) Implement Content Security Policy (CSP) headers to reduce the risk of malicious script execution in browsers. 7) Conduct regular security audits and penetration testing focusing on plugin endpoints and admin interfaces.