WWBN AVideo is an open source video platform widely used for hosting and managing video content. In versions up to and including 26.0, the endpoint `plugin/AD_Server/reports.json.php` exposes ad campaign analytics data without any authentication or authorization controls. This endpoint returns sensitive information such as video titles, user channel names, user IDs, ad campaign names, and impression and click counts. The vulnerability arises because the JSON API endpoint was not protected by the `User::isAdmin()` check that is correctly enforced on the HTML (`reports.php`) and CSV export (`getCSV.php`) counterparts. This missing authorization (CWE-862) allows any unauthenticated attacker to retrieve detailed advertising analytics data, which could be used for competitive intelligence, user profiling, or targeted attacks. The issue was identified and a patch was committed (commit daca4ffb1ce19643eecaa044362c41ac2ce45dde) to enforce proper admin authorization on the JSON endpoint. The CVSS v3.1 score is 5.3 (medium severity), reflecting the ease of exploitation (no authentication or user interaction required) but limited impact to confidentiality only, with no integrity or availability impact. No known exploits in the wild have been reported yet.

The primary impact of this vulnerability is unauthorized disclosure of sensitive advertising analytics data. Organizations using affected versions of WWBN AVideo risk leakage of business intelligence such as ad campaign performance metrics, user channel information, and video metadata. This information could be leveraged by competitors or malicious actors for profiling, reconnaissance, or crafting targeted social engineering attacks. Although the vulnerability does not allow modification or disruption of services, the confidentiality breach can undermine user trust and violate privacy policies or contractual obligations. For organizations relying on AVideo for monetization or user engagement analytics, this data exposure could result in financial and reputational damage. Since exploitation requires no authentication and no user interaction, the attack surface is broad, increasing the likelihood of opportunistic data harvesting.

Organizations should immediately upgrade to a patched version of WWBN AVideo that includes the fix for this vulnerability. If upgrading is not immediately possible, administrators should implement access controls at the web server or network level to restrict access to the `plugin/AD_Server/reports.json.php` endpoint to trusted administrative IP addresses only. Additionally, auditing and monitoring access logs for unusual or unauthorized requests to this endpoint can help detect exploitation attempts. Developers maintaining custom forks or deployments should verify that all API endpoints enforce consistent authorization checks, especially for administrative data. Regular security reviews and automated testing for missing authorization vulnerabilities (CWE-862) should be integrated into the development lifecycle to prevent similar issues. Finally, organizations should review their data exposure policies and ensure that sensitive analytics data is only accessible to authorized personnel.