WWBN AVideo is an open-source video platform that, in versions up to and including 26.0, contains a critical CSRF vulnerability (CVE-2026-33507) in the `objects/pluginImport.json.php` endpoint. This endpoint allows admin users to upload ZIP files containing plugins, which can include executable PHP code. The vulnerability arises because this endpoint lacks any CSRF protection mechanisms, such as anti-CSRF tokens or same-origin checks. Additionally, the application explicitly sets the session cookie attribute `SameSite=None` for HTTPS connections, which allows cookies to be sent with cross-site requests. An attacker can exploit this by crafting a malicious webpage that, when visited by an authenticated admin, triggers a silent POST request to the vulnerable endpoint, uploading a malicious plugin containing a PHP webshell. This results in remote code execution on the server with admin privileges. The attacker does not need to be authenticated but relies on the admin visiting the malicious page, making user interaction necessary. The vulnerability impacts confidentiality, integrity, and availability of the affected servers. A patch has been committed (commit d1bc1695edd9ad4468a48cea0df6cd943a2635f3) to address this issue by adding CSRF protections.

The exploitation of this vulnerability allows attackers to achieve remote code execution on servers running vulnerable versions of WWBN AVideo, leading to full compromise of the affected system. Attackers can execute arbitrary PHP code, potentially leading to data theft, defacement, malware deployment, lateral movement within networks, and disruption of video services. Given that the vulnerability requires an admin user to visit a malicious page, social engineering or targeted phishing campaigns could be used to trigger the exploit. The impact extends to confidentiality (exposure of sensitive video content and user data), integrity (modification or deletion of content and system files), and availability (service disruption or denial of service). Organizations relying on AVideo for video hosting or streaming services face significant operational and reputational risks if exploited.

1. Immediately update WWBN AVideo to the latest patched version that includes the fix for CVE-2026-33507. 2. If patching is not immediately possible, implement web application firewall (WAF) rules to detect and block unauthorized POST requests to the `pluginImport.json.php` endpoint. 3. Restrict administrative access to trusted networks or VPNs to reduce exposure to phishing attacks. 4. Educate administrators about the risks of visiting untrusted websites while logged into admin accounts. 5. Review and harden session cookie settings, considering setting `SameSite` to `Lax` or `Strict` where feasible to prevent cross-site requests. 6. Monitor server logs for unusual plugin uploads or webshell activity. 7. Employ multi-factor authentication (MFA) for admin accounts to reduce risk from compromised credentials. 8. Conduct regular security audits and penetration testing focusing on admin interfaces and plugin management functionalities.